Firewall_Rule_Base_Best_Practices.doc

Have some method of reviewing them periodicallybe it

Info icon This preview shows pages 5–7. Sign up to view the full content.

View Full Document Right Arrow Icon
Have some method of reviewing them periodically—be it manual, a commercial tool such as WebTrends, or a homegrown script (even a series of greps or finds). There are a number of such scripts on the Internet, many written in Perl or using UNIX utilities. There are versions of Perl and the UNIX textutils for Windows environments (see http://www.jpsdomain.org/windows/win- tools.html#unix_utilities ). (Note, do not install Perl on a firewall!) Or, you can use an outsourced monitoring company. I have it on good authority that Counterpane Internet Security is pretty good. Do log important traffic—such as any incoming traffic (see “Services Guidelines” on page 7). Do not log unimportant traffic—such as internal Microsoft Networking and bootp broadcasts (see “Services Guidelines” on page 7). Use a “Service Network” for Public Services Use a “Service Network” (AKA DMZ, AKA “screened network) for public services such as your web or ftp server. This used to be true for SMTP (e-mail) servers as well, but most modern firewalls have built- in, hardened and secure mail relay proxies. A service network is a good idea for extranet/partner connections as well. The advantages are that you have fine-grained control over what traffic is allowed, and you can log it. Be careful if you use the same service net for more than one partner connection, or if you put a partner connection on the same service network as your public servers. In the former case, one partner could conceivably gain access to the other’s network via your link. In the latter case, your partner could conceivably use your Internet resources (i.e. to bypass content filters imposed by their own network by going through your internet link). Use Well Designed and Consistent Firewall and Object Naming Most modern firewalls use some kind of graphical and object orient interface. Give careful though to your naming conventions. The object name is often required to be the same as the resolvable DNS name, which may be published. Consider what would happen if you used too generic a name, then merged with another company (no matter how unlikely you may think this to be, plan for it anyway. Plan to scale up too). For example, calling the firewall object “firewall” and the LAN object “LAN” is neither scalable © Copyright 2000-2003, JP Vossen http://www.jpsdomain.org/security/rulebasebp.html
Image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Firewall Rule Base Best Practices 2003-01-27 Page 6 of 8 nor will it work well if you merge or open new sites. There is also an ongoing debate that the firewall name should be something that does not indicate that it is, in fact, a firewall. This is security by obscurity and never works in and of itself. It may, however, add a slim “layer” of security that might be beneficial.
Image of page 6
Image of page 7
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern