[unisog] Firewalls for Windows sheep

Shane Williams shanew at shanew.net
Sun Feb 9 20:59:17 GMT 2003


I assume you meant standard procedure for you.  Being in an academic
environment, our department takes the opposite approach.  We look down
what needs to get locked down and leave the rest open.

While this may place our machines at higher risk, it makes the lives
of our users much easier.  And with the time we save not having people
request for this or that port to be opened, we keep machines
well-patched and watch the system with both network and host based
IDSs.

We use bridging firewalls (No need to alter clients' IP settings)
"near" the edge, but have a DMZ where the primary servers live.  The
bridging firewalls are slightly older Dell boxes running Linux with
bridging and IPTables.

Of course, a great deal depends on the geography and needs of your
network and your clients.  What works for us may not be at all
appropriate for your situation.

On Fri, 7 Feb 2003, Arnold, Jamie wrote:

> Standard procedure is to open only what's needed and only to the hosts
> needed.
> 
> There are many opinions on whether to use an edge device or several
> departmental devices.  I prefer the edge option.
> 
> j
> 
> -----Original Message-----
> From: STeve Andre' [mailto:andres at msu.edu] 
> Sent: Friday, February 07, 2003 3:59 PM
> To: 'unisog at sans.org'
> Subject: [unisog] Firewalls for Windows sheep
> 
> 
>    What do you do on your firewalls for protecting your 
> Windows sheep--I mean clients?
> 
>    I'm thinking along the lines of the traditional firewall
> at the edge of a network which blocks ports.  What is
> your strategy here--do you block the known vulnerable
> ports, or take the opposite approach and block most
> everything opening up only what you know you need?
> 
>    Specific data is great.  I use OpenBSD's pf so those
> would be even cooler to see. ;-)  Any links to places
> that spout their philosophy would be neat too.
> 
> Thanks,  STeve Andre'  (MSU dept of Political Science)
> 

-- 
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |      System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines |              shanew at shanew.net
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew



More information about the unisog mailing list