If you are running an office lan with visitor laptops, would it not be wise to run a policy of loc net REJECT Then in your rules: ACCEPT loc net ssh, http, pop, imap, smtp(?) Thereby keeping any nasty traffic inside and reserving your bandwidth for important traffic. What else would you allow? IMs? What ports? Some of these are philosophical issues, I''m interested in other people''s views. I certainly don''t want p2p traffic soaking up our vital network feeds. -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
At home I run everything under a DROP or REJECT policy. The point for me is not so much to reserve bandwidth as it is to force myself to ID everything that is happening. This is for security, which is what fire- walling is all about. Ease of access is really diametrically opposed to security. If some user, or myself, infects a system with a rogue program, and it tries to contact the net, I want to know about it. If a user wants to run a new program, I want them to ask for help making it work so I can evaluate it for safety or level of risk and have an opportunity to train the user in safe practices. When you open a port, you aren''t just opening it for a trusted application either. It is then open for all applications that might use it. Who knows if the visiting laptop is using an up-to-date, secure version. For some protocols, I restrict access by unix group so that only trusted users are granted use of that resource on the net. For other protocols, I allow access, but I always log activity. This way, I can see accesses that could be abused in a firewall report, and, based on whether it is expected or not, can investigate further. This has actually helped me restrict my rules later because I saw circumstances beginning to occur when contractors started doing things that regulars did not. I certainly would not go out of my way to make "visiting laptops" life easy since there is no telling how many ugly creatures reside on them. Back in the days when floppies were the mode of virii spreading, one who never allowed a visiting floppy in their drive also was never infected. It really is the same today, except that the floppy is now a network attached device. In our corporate environment, all IM, toolbars like google desktop, are strictly forbidden because of the increased risk. For that matter, all browsers except the officially IT supported one are forbidden, and an outsider laptop is NEVER allowed to come near the network. Now, at home, since every machine is individually firewalled with Shorewall, I don''t mind letting guests on, because again, the policy file on every system _only_ contains REJECT and DROP - even for $FW. That is my "philosophy" if philosophy is what you want. Certainly not everyone will have the same one. -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Chris Mason (Lists) Sent: Wednesday, March 01, 2006 7:02 PM To: Shorewall-Users Subject: [Shorewall-users] Best Practices - loc => net policy If you are running an office lan with visitor laptops, would it not be wise to run a policy of loc net REJECT Then in your rules: ACCEPT loc net ssh, http, pop, imap, smtp(?) Thereby keeping any nasty traffic inside and reserving your bandwidth for important traffic. What else would you allow? IMs? What ports? Some of these are philosophical issues, I''m interested in other people''s views. I certainly don''t want p2p traffic soaking up our vital network feeds. -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Bulgrien, Kevin wrote:> > That is my "philosophy" if philosophy is what you want. Certainly not > everyone will have the same one. > >That''s _exactly_ what I wanted. The technical I can do, the philosophy is harder to evaluate. -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Bulgrien, Kevin wrote:> At home I run everything under a DROP or REJECT policy. The point for > me is not so much to reserve bandwidth as it is to force myself to ID > everything that is happening. This is for security, which is what fire- > walling is all about. Ease of access is really diametrically opposed to > security.That''s a very good point. Finding the right balance between ease of access (keeping users happy and meeting management goals) and prevention of access (security) is the real challenge! Here''s a good example of the wrong way to achieve that balance: "With the computing experience you don''t achieve full potential if you''re having to worry about something like security. So that''s our commitment to people. We''ll make sure that''s not holding people back in terms of getting these great new experiences." — Bill Gates http://news.bbc.co.uk/2/hi/programmes/click_online/4215183.stm> If some user, or myself, infects a system with a rogue program, > and it tries to contact the net, I want to know about it. If a user wants > to run a new program, I want them to ask for help making it work so I can > evaluate it for safety or level of risk and have an opportunity to train > the user in safe practices. When you open a port, you aren''t just opening > it for a trusted application either. It is then open for all applications > that might use it. Who knows if the visiting laptop is using an up-to-date, > secure version. > ... > For other protocols, I allow access, but I always log activity. This > way, I can see accesses that could be abused in a firewall report, and, > based on whether it is expected or not, can investigate further. This > has actually helped me restrict my rules later because I saw circumstances > beginning to occur when contractors started doing things that regulars > did not.My philosophy is quite similar to Kevin''s, except that i''ve found that pragmatically speaking, i could fill all of my time investigating software on visiting laptops and adding firewall rules to allow legitimate services. At work, i''m in the unfortunate position of being required to support personal laptops that are routinely put on staff members'' home networks and played with by their children. :-( (These laptops act as each staff member''s primary work computer.) We do our best to help them out by automatically pointing all staff laptops at our Windows update server (WSUS) and supplying anti-virus and anti-spyware software, but there always seems to be /something/ wrong with at least one of them (not usually security-related, i might add).> I certainly would not go out of my way to make "visiting laptops" life > easy since there is no telling how many ugly creatures reside on them. > Back in the days when floppies were the mode of virii spreading, one who > never allowed a visiting floppy in their drive also was never infected. > It really is the same today, except that the floppy is now a network > attached device.The difference today is that you simply can''t enforce the rule of never allowing an unknown floppy into your drive. The closest equivalent would be banning computers from ever connecting to any network.> In our corporate environment, all IM, toolbars like google desktop, are > strictly forbidden because of the increased risk. For that matter, all > browsers except the officially IT supported one are forbidden, and an > outsider laptop is NEVER allowed to come near the network.In my opinion, this will become less and less practical to implement over time. The concept of the disappearing perimeter in network security has garnered a bit of attention in recent years and is worth reading about: http://www.google.com/search?q=network+security+disappearing+perimeter One i found particularly helpful for my situation was: http://www.arubanetworks.com/technology/whitepapers/defenseindepth/ (PDF version at http://www.arubanetworks.com/pdf/defense-in-depth.pdf)> Now, at home, since every machine is individually firewalled with > Shorewall, I don''t mind letting guests on, because again, the policy > file on every system _only_ contains REJECT and DROP - even for $FW.On my home LAN, i use these policies for the most part, but i allow my guest network open access to the ''Net. I segregate my own PCs from guest PCs, so i''m not worried about them compromising anything else, and i''m on a fixed cost ADSL plan, so i have no concerns about cost blowout. So, to answer your original question, Chris, i would say: do it /if you can/. On home networks, it''s almost certainly practical. In small businesses or schools (say up to 30 or maybe 50 PCs), it would probably work. In environments much larger than that, unless you have full-time network security staff, my feeling is that it''s infeasible. At work, i have 3.6 full-time staff to administer about 600 devices (including servers, PCs, laptops, printers, managed switches), and i don''t have any dedicated security staff (and little interest in security from management). So i set my policies for my client VLANs to REJECT (without logging), direct web access to my proxy server using wpad.dat, and deal with any access issues as they come up. -- Paul <http://paulgear.webhop.net> -- Did you know? Most email-borne viruses use a false sender address, so you cannot track down the sender using that address. Instead, keep your virus scanning software up-to-date and just delete any suspicious emails you receive.
It would seem sensible to separate our own systems form the guest''s systems. I can''t do that physically as each villa has only one pipe to it, albeit a fiber, but is it worth implementing VLAN''s? I really have never figured VLANs out as everything I read just describes it as a way to connect geographically distant networks, not what I am trying to do. How could devices share the physical lan but be securely separated from each other? -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Chris Mason (Lists) wrote:> It would seem sensible to separate our own systems form the guest''s > systems. I can''t do that physically as each villa has only one pipe to > it, albeit a fiber, but is it worth implementing VLAN''s?The short answer is: yes. The long answer is: maybe - depends what you''re trying to achieve. :-) I use VLANs as a way of segregating untrusted PCs into zones to minimise the "blast radius" of any security or performance problems that might occur. If you have a different trust philosophy when it comes to desktops, or if you have too small a number of hosts to justify it, you may decide not to use them.> I really have > never figured VLANs out as everything I read just describes it as a way > to connect geographically distant networks, not what I am trying to do. > How could devices share the physical lan but be securely separated from > each other?Devices can be on the same physical switch but securely separated from one another by VLANs, provided that the switch is configured to have the devices in separate VLANs, and does not allow VLAN tagging on their ports. Devices cannot be on the same physical LAN and be securely separated. (Devices on the same physical LAN can be /insecurely/ separated for administrative purposes, by putting unknown MAC addresses in a different IP address range to known ones, and that''s worth doing sometimes.) Paul ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Paul Gear wrote:> My philosophy is quite similar to Kevin''s, except that i''ve found that > pragmatically speaking, i could fill all of my time investigating > software on visiting laptops and adding firewall rules to allow > legitimate services.But how much does the user need? Once they can browser the web (80 and 443), check mail (110,143) have access to our smtp (25), what else is there? I suppose we need to add IMs, what ports does that open? What else in your experience? -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Chris Mason (Lists) wrote:> Paul Gear wrote: >> My philosophy is quite similar to Kevin''s, except that i''ve found that >> pragmatically speaking, i could fill all of my time investigating >> software on visiting laptops and adding firewall rules to allow >> legitimate services. > But how much does the user need? Once they can browser the web (80 and > 443), check mail (110,143) have access to our smtp (25), what else is > there? > > I suppose we need to add IMs, what ports does that open? > > What else in your experience?Chris, we can''t do your job for you. Every user''s requirements are different, and you have to work out what is right for your network. Some common services are defined for you in Shorewall actions. For those that aren''t, "Google is your friend". Paul ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Paul Gear wrote:> >Chris, we can''t do your job for you. Every user''s requirements are >different, and you have to work out what is right for your network. > >Some common services are defined for you in Shorewall actions. For >those that aren''t, "Google is your friend". > > >I don''t need the service numbers, I knwo them well, I''m jsut talking about your experience with balancing users need with security. I''m reading the papers you suggested, great stuff, thanks. Chris -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Chris Mason wrote:> ... >> Chris, we can''t do your job for you. Every user''s requirements are >> different, and you have to work out what is right for your network. >> >> Some common services are defined for you in Shorewall actions. For >> those that aren''t, "Google is your friend". >> >> >> > I don''t need the service numbers, I knwo them well, I''m jsut talking > about your experience with balancing users need with security. > > I''m reading the papers you suggested, great stuff, thanks.Sorry Chris - i didn''t mean to imply you didn''t know the common service numbers. What i was trying to say is that Shorewall actions (and macros in 3.x) are provided to show you what other people have found helpful - whether you enable them for loc2net on your site is what you will have to research and decide for yourself. I''m sure plenty of people on this list would be able to comment on the relative merits or demerits of particular services, but we can''t just give you a list of "loc2net essentials". :-) -- Paul <http://paulgear.webhop.net> -- Did you know? Using HTML email rather than plain text is less efficient, taking anywhere from 2 to 20 times longer to download, and a corresponding amount more space on disk. Learn more about using email efficiently at <http://www.expita.com/nomime.html>.