Network Security Firewall question
 

I have a question for you who do security stuff.

Normal setup inside corp intranet and outside is the internet. Do you have traffic from the inside to the outside wide open, or do you have a few permit statements and then everything else gets denied?

I understand that it's more secure to say "permit from the internal networks to the internet on port 80 and 443" and then let everything else be denied (greatly over simplified, of course, you'd have to permit more than 80 and 443).

Do any of you restrict outbound access like that, only allowing a few (relatively) ports/protocols from the inside to the outside or do you basically have a "permit ip any any" from the inside to the outside?

I would assume that only the most security conscious places, military, govt, financial, etc..., would resort to limiting outbound access to that level, but I'm curious what you guys do/have seen.

Thanks

Depends.

Sorry, not the best answer, but it does. It depends on the company and their culture.

A rigid environment, with the need for lots of security - it's locked down and often there are proxies n use for browsing.

In a small office, with not a lot of rules, its often wide open.

Of course, there are exceptions.

Default-Deny is a popular method. Everything is closed unless someone says it needs to be opened.

Good luck.

+1 on the 'It depends'

Is there a legal team involved or not?

Smaller environments have less rules but in larger environments the general user population has ZERO real access to the internet (or shouldn't at least).

Any access to the internet is through a filtered web proxy. The user networks don't even need a route to the internet at that point - just the proxy server. This model means the firewall from the inside to the outside is far less complex and I would argue should work well in even a small environment that has multiple subnets.

+1 also on the "It depends".

I manage a global network for a large company but because we're a media/software company, usually all outbound traffic to the Internet is allowed because our users need to get to sites like Youtube, and everything else you can imagine. Obviously if it was a financial institution or the military, everything would be locked down.

Yeah, we don't have a proxy here. Without a proxy, I think that trying to determine what should be allowed outbound will be an enormous job. Maybe I need to sell the security team a proxy.

The security here is a joke. We have a security team, but the "senior security analyst III" doesn't understand IP addresses and ports and protocols. He can make a mean screen saver though. I was amazed when I got here. We've got 2500-3000 employees and they are all local admins. I'm still amazed by that. This year we have overall security as one of our focuses.

Thanks

+1.
As already stated, "typical" users would access the Internet only through a proxy server.
If access is required "from" the Internet (to your servers, web sites, etc.) then a firewall DMZ would typically be in place so no one is accessing your network "directly", and techniques like NAT'ing (IP Network Address Translation) are implemented to "hide" your intranet's real addresses from the Internet.
VPN (Virtual Private Network) tunnels are one way to typically provide secure, encrypted access (in or out depending...).
Fundamental infrastucture components (DNS lookups for example) would need to be considered.

Those are just a few items to consider, but it really "just depends" upon your environment, your requirements (both for access and security) and how much you're willing to spend to protect yourself from the "Internet pandora's box" :).

We're somewhere in the middle. We shouldn't be wide open, but we don't need to be locked down like the military or a financial institution. I don't think a proxy is a bad idea. The security team here has a web filter, but a proxy/filter seems like a better idea, and we have host antivirus (I doubt it's effectiveness). They've also disabled the ability to turn on auto-updates in Windows which would be fine except that they don't update for us very often.

This is going to be a mess. When they lock down the PCs all hell is going to break loose, but I agree with having them locked down. I certainly don't trust the average corp user with a PC. We've got a VP or something somewhere that wants to use his personal MAC as his corp PC, and I'm amazed that no one has told him "NO".

Yes, we have DMZs for our servers that require internal and external access. We are also NATed. We also have DNS on the outside, DMZ and inside so even that isn't a direct route.

Thanks all, lots of good info. I hadn't even considered the proxy thing. I've got a good handle on most security theory (most of it is common sense really), but I'm not a security guy. This is also my first gig in a "normal" environment that has these sort of concerns.

Me neither, nor do I play one on TV, and furthermore, I slept in my own bed last night :)

I think in any environment that a proxy is almost as import as a firewall but in small environments folks can figure "what's the point?".

Well, mitigating risk saves money. IF the general populace can't get to the internet - well that is even better than a firewall and a default deny.

You also save on folks having carte blanche access to the internet and their various P2P apps that they don't need to run at work on company bandwidth. Using a proxy for http/https/ftp traffic means that you control what happens a lot more and that control mitigates a significant risk. Viruses are nasty little buggers and a simple AV projects is not enough.

Beyond the proxy is a firewall of course with DMZs setup for the proxy to sit in. Then you simply control access to the proxy to the corporate network and give the proxy access to the external internet via a select group of ports.

I am our network security specialist at the global company I work for and I have worked as such at a number of different types of organizations from government to ecommerce to large corporate manufacturing (at present).

Security is not cheap on the large scale but you can mitigate risk by taking a number of inexpensive steps.

Thanks. I'm going to try to sell the proxy. As soon as it was mentioned I had a head-slap moment. Several times I've gotten requests to setup static NAT and open holes from the internet to servers that aren't on the DMZs, and I always tell them "no way in hell". It only makes sense. Never have traffic go from the internet to the inside. Traffic should always go from inside to DMZ or outside to DMZ, but never inside to outside. It never clicked that we've got 2500 idiots with admin access doing whatever they want from the inside to the outside. Makes me shudder just to think about it.

Sorry gonna rock the boat here, but if it's a new install; ALWAYS deny first and permit after. The benfits over an above tighter security:
- You make the users/BA/Developers understand their applications better
- If you have an outbreak (inside, which is more likely than a pen outside) you can prevent the "call homes" or reverse DOS saving you from a law suit.
- SOX and other compliancy checks will fail you for not denying.

The best is to have defense in depth, router on inside doing routing and traffic shaping, firewalls doing rule enforcement, and router on outside policing traffic to prevent DOS's etc.

Good luck

Thanks. It's no where near a new install, and I do have some things to add to the beginning that are deny. I think the security will require a pretty thorough refresh. We've got most of the hardware. It's just not implemented well. I've done some basic clean-up, but they've had me doing other stuff since I started last year. Since I started I've been saying that the security is non-existent. Now all of a sudden, they are fast and furious on getting the security into shape.

First thing I would do is perform a Threat Analysis, and use that to set the business policies. Get them signed off by the Powers That Be. Clearly spell out what things you are protecting yourselves against, and what you're not. Management wants everything, but never wants to spend the money required for it. If/when **** goes wrong, they won't understand that, they'll just point fingers.

Then take that and implement it using the appropriate hardware/software and design. Be sure to implement the required changes in end-user policies, etc.

Are you a small start-up selling a simple widget, or are you a bank doing international banking transactions? Are you a marketing company, or are you hosting an online service? All of these have different requirements.

Too many people just start implementing network security for the sake of implementing network security.

And be sure to include proper monitoring and logging as part of that security.


And remember, good security is part of the design, not a bolt-on or after-thought.


Again, it all depends on what you want, what you need, and what you can afford to do (cash, time, effort, etc).

:eek::eek::eek::eek::eek::eek::eek::eek::eek::eek:

Of course I assume you mean local admin, but geez that bad enough!

One outbreak and kiss your job goodbye. The first "consultant" that comes in to review the aftermath will see this and you will be out faster than you can imagine!

You are the tool. Management makes the decisions. Give them the information and make them decide how to wield the tool. Cover your arse with the documentation of their decisions and your notifications to them of such.

I wouldn't let another day go by that I didn't tell the CIO, COO or other such officer of the risks of having 2500 users with local admin rights.

Fortunately, that's on someone else's butt, not mine. And yes, it'l local admin access.

Also, we have a "Security team" and I'm not on it. They are the policy makers. So if this goes south, it's not really on my head. I'm just the voice of reason coming in telling folks how bad things are and that something needs to be done.

Do any of you gents have recommendations for proxy servers? What proxy servers do you use?

Thanks

squid

Ouch, I was afraid someone would say that. Our Security guys aren't that technical. They'd have to hire someone to manage it.

2500 seats and not that technical?!?!

I assume its a MS shop then? LOL

Seriously, ISA offers proxy services iirc. Also, WebMarshal is a proxy that offers content filtering. It's pretty easy to use and with good reporting. You'll want to setup an LDAP pull to AD so that you can make rules by user and group. You don't want AD access on a forward facing proxy.

PM me if you need more details.

I thought that might be the case....

Why do companies hire security "experts" that can't f'ing DO anything?

Yeah, like I said, security here is non-existent. It's really scary. I'm a network guy that has some experience with firewalls, ids/ips, and vpns. I've done some reading on Security, and honestly, most security is pretty common sense, but a company like this needs a couple of technical folks that are hard core security guys. I'm not a security guy, just a network guy that knows some security basics.

We have developers, database folks, UNIX, AIX, and Windows here. The "Security team" is 2 guys. One guy says he has some experience with firewalls and IDS stuff, but I think much less than I do. I'd consider him a Jr security guy. The other guy here who had his title as "Senior Security Analyst III" doesn't understand ports, protocols, IPs, etc.... But he does make a mean screen saver that reminds us to not leave our passwords laying around for folks to see.

Easy Mikey... count to 10, take a breath. Serenity now, serenity now. SmileWavy

These guys have an outsourced event correlation solution, BT Counterpane, but it's only partially implemented.

They have an outsourced security scanner, Qualys.

Internet filter, 8e6

IM filter/logger, Akonix

And that's about it.

Ideally, I'd like to see them doing something else, and get a serious security guy or two in here. I figure I'd learn something from them, and we'd actually have some security.

goosfrabaaaaa

http://newsimg.bbc.co.uk/media/image...lumbia_300.jpg

8e6 and Marshal merged. WebMarshal is in their kit bag and may actually be what they are running.

Akonix has several products, and is pretty good, as long as it is installed correctly.

Our 8e6 is only doing web filtering. I think we got it before they merged. Either way, I think ours is before they merged and only filters for content or it is correctly implemented (or both).

We SPAN our internet feed to the 8e6 and it will filter via TCP resets. The security team is getting ready to deploy a remote filter so that company laptops can't surf porn no matter where you are. I actually don't care if the porn is filtered. My problem is that the folks deploying the solution aren't smart enough to really know what they are doing.

The Akonix seems to be a decent product. My manager tried to get us/me to manage it, but I've convinced him to let them have it. We have enough to do with the rest of the network.

Seriously - don't mean to hi-jack but I'm at my wit's end (in all fairness it was a short trip).

I, like you am just the network engineer. I happen to have held a few security positions before I went to this current job which was supposed to be a straight network job.

I honestly wasn't really sure I wanted to do security anymore because by and large companies don't want to do it and I was tired of fighting for something companies saw as purely an expense with zero return.

If you haven't had a breach and ended up in the news then you don't need to do any serious security. If you haven't had your entire windows infrastructure compromised by some stupid worm - you don't need security.

In November they laid off our IT Security Director. He wasn't stupid but the job he was doing wasn't very successful. I'm not sure it was his fault but if he had a few more technical minds around him rather than the 'analysts' he would have had some problems solved.

They haven't replaced him and don't seem to intend to.

I want the job - but let me be clear: I do not want that job.

Now we're down to 2 'security' personnel, a technical analyst who means well and tries but is spread so thin he has no chance for success. And a 'manager' (with no reports) who tries desperately to get anyone else to manage the security project she needs done (rather than simply managing the project herself to ensure it does get the proper attention). She's nice, I like her but she clearly doesn't want to do the job she has. They both report to our CTO who doesn't seem to want to have anything to do with them.

I'm the Network Engineer, I 'know' firewalls. I 'know' VPN, I know host based firewalls and I am reasonably good with IDS/IPS and create secure environments using standard Cisco routers and switches. I know more than routers, I am competent in systems - more so in the *NIX environment than windows but I can hold my own.

We are in the process of building our security project plans this year - the CTO has a bi-weekly meeting with his security duo on Monday. It's supposed to be an hour. I spend the better part of a couple of days working up reasonably simple slides for a couple of projects we need to do this year. I Work up the numbers, the hardware and hand it to the 'IT Security Manager'.

The meeting is supposed to be an hour, I get a message from her later in the day to call her back as the meeting was only 15 minutes and she wasn't sure she was able to give him all the information. As I finish listening to the message, the CTO walks into my cube and asks me if I have a minute to go over a the project plans I've been doing.

So we go over the 4 project line items we need to do and he really wants to cut as much as he can. It's irritating but I understand where he is coming from - the only return from this is staying out of the paper in a C*O's eyes. Right now, publicity like this to our very public company would only add insult to injury. I go over the slides with him, the spreadsheets, the money and the risk as well as what we can do as a compensating control in lieu of NOT spending this money or some of it. He spends an hour with me instead of his security team. I think he walked away thinking I single handedly saved him $600k from his budget and I think I got most of what I want to get done. We'll see. Quarterly results are announced on Monday and I'm fully expecting they are just going to shut the IT department down and start stringing up cups between buildings.

I've been trying to get a series of firewalls in place with policies other than 'permit ip any any log' for the better part of 2 years.

I just needed to vent that I guess..

goosfrabaaaaa

Sorry I'm late to the party, but I wanted to respond to Steve's original question.

Whatever you do, it needs to be backed up by your InfoSec policy. Otherwise, it has no teeth and exception after exception will be made.

Not to provide any specific details of our policies, but anything other than port 80 or 443 access to the untrust must have specific, detailed, approved and documented business justification. By default, our users get just that access and it is all proxied.

We also filter access to the web based upon content (both inappropriate and potentially dangerous). We also heavily monitor that traffic via an IDP system for potential vulns and intrusion attempts. That's just for the general population. If we have to grant other access because of justified business reasons, that's when we get really serious about security.

I do want to point out that reliance on point solutions is folly. You need to have an overall approach that is sponsored, funded, blessed and followed by the C-level in you organization to stand a chance of improving the security of your environment.