[unisog] Firewalls for Windows sheep

Russell Fulton r.fulton at auckland.ac.nz
Sat Feb 8 09:35:36 GMT 2003


On Sat, 2003-02-08 at 09:58, STeve Andre' wrote:
>    What do you do on your firewalls for protecting your 
> Windows sheep--I mean clients?
> 
>    I'm thinking along the lines of the traditional firewall
> at the edge of a network which blocks ports.  What is
> your strategy here--do you block the known vulnerable
> ports, or take the opposite approach and block most
> everything opening up only what you know you need?
> 
>    Specific data is great.  I use OpenBSD's pf so those
> would be even cooler to see. ;-)  Any links to places
> that spout their philosophy would be neat too.

We are in the process of migrating our firewall from TAMU's Drawbridge
(which has done stirling service for many years) to pf.

Our standard workstation access blocks *all* incoming TCP sessions and
UDP to ports below 1024. 

We also have a list of protocols that we don't allow out either
including SMTP, X,  Berkley R*, etc.

Seems to work very well for us.

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin



More information about the unisog mailing list