Network Security Firewall question

[masraum]

I have a question for you who do security stuff.

Normal setup inside corp intranet and outside is the internet. Do you have traffic from the inside to the outside wide open, or do you have a few permit statements and then everything else gets denied?

I understand that it's more secure to say "permit from the internal networks to the internet on port 80 and 443" and then let everything else be denied (greatly over simplified, of course, you'd have to permit more than 80 and 443).

Do any of you restrict outbound access like that, only allowing a few (relatively) ports/protocols from the inside to the outside or do you basically have a "permit ip any any" from the inside to the outside?

I would assume that only the most security conscious places, military, govt, financial, etc..., would resort to limiting outbound access to that level, but I'm curious what you guys do/have seen.

Thanks

[KaptKaos]

Depends.

Sorry, not the best answer, but it does. It depends on the company and their culture.

A rigid environment, with the need for lots of security - it's locked down and often there are proxies n use for browsing.

In a small office, with not a lot of rules, its often wide open.

Of course, there are exceptions.

Default-Deny is a popular method. Everything is closed unless someone says it needs to be opened.

Good luck.

[mikester]

+1 on the 'It depends'

Is there a legal team involved or not?

Smaller environments have less rules but in larger environments the general user population has ZERO real access to the internet (or shouldn't at least).

Any access to the internet is through a filtered web proxy. The user networks don't even need a route to the internet at that point - just the proxy server. This model means the firewall from the inside to the outside is far less complex and I would argue should work well in even a small environment that has multiple subnets.

[Axeman]

+1 also on the "It depends".

I manage a global network for a large company but because we're a media/software company, usually all outbound traffic to the Internet is allowed because our users need to get to sites like Youtube, and everything else you can imagine. Obviously if it was a financial institution or the military, everything would be locked down.

[masraum]

Yeah, we don't have a proxy here. Without a proxy, I think that trying to determine what should be allowed outbound will be an enormous job. Maybe I need to sell the security team a proxy.

The security here is a joke. We have a security team, but the "senior security analyst III" doesn't understand IP addresses and ports and protocols. He can make a mean screen saver though. I was amazed when I got here. We've got 2500-3000 employees and they are all local admins. I'm still amazed by that. This year we have overall security as one of our focuses.

Thanks

[KFC911]

Quote:

Originally Posted by mikester

+1 on the 'It depends'....

+1.
As already stated, "typical" users would access the Internet only through a proxy server.
If access is required "from" the Internet (to your servers, web sites, etc.) then a firewall DMZ would typically be in place so no one is accessing your network "directly", and techniques like NAT'ing (IP Network Address Translation) are implemented to "hide" your intranet's real addresses from the Internet.
VPN (Virtual Private Network) tunnels are one way to typically provide secure, encrypted access (in or out depending...).
Fundamental infrastucture components (DNS lookups for example) would need to be considered.

Those are just a few items to consider, but it really "just depends" upon your environment, your requirements (both for access and security) and how much you're willing to spend to protect yourself from the "Internet pandora's box" .

[masraum]

Quote:

Originally Posted by Axeman

+1 also on the "It depends".

I manage a global network for a large company but because we're a media/software company, usually all outbound traffic to the Internet is allowed because our users need to get to sites like Youtube, and everything else you can imagine. Obviously if it was a financial institution or the military, everything would be locked down.

We're somewhere in the middle. We shouldn't be wide open, but we don't need to be locked down like the military or a financial institution. I don't think a proxy is a bad idea. The security team here has a web filter, but a proxy/filter seems like a better idea, and we have host antivirus (I doubt it's effectiveness). They've also disabled the ability to turn on auto-updates in Windows which would be fine except that they don't update for us very often.

This is going to be a mess. When they lock down the PCs all hell is going to break loose, but I agree with having them locked down. I certainly don't trust the average corp user with a PC. We've got a VP or something somewhere that wants to use his personal MAC as his corp PC, and I'm amazed that no one has told him "NO".

[masraum]

Quote:

Originally Posted by KC911

+1.
As already stated, "typical" users would access the Internet only through a proxy server.
If access is required "from" the Internet (to your servers, web sites, etc.) then a firewall DMZ would typically be in place so no one is accessing your network "directly", and techniques like NAT'ing (IP Network Address Translation) are implemented to "hide" your intranet's real addresses from the Internet.
VPN (Virtual Private Network) tunnels are one way to typically provide secure, encrypted access (in or out depending...).
Fundamental infrastucture components (DNS lookups for example) would need to be considered.

Those are just a few items to consider, but it really "just depends" upon your environment, your requirements (both for access and security) and how much you're willing to spend to protect yourself from the "Internet pandora's box" .

Yes, we have DMZs for our servers that require internal and external access. We are also NATed. We also have DNS on the outside, DMZ and inside so even that isn't a direct route.

[masraum]

Thanks all, lots of good info. I hadn't even considered the proxy thing. I've got a good handle on most security theory (most of it is common sense really), but I'm not a security guy. This is also my first gig in a "normal" environment that has these sort of concerns.

[KFC911]

Quote:

Originally Posted by masraum

...but I'm not a security guy....

Me neither, nor do I play one on TV, and furthermore, I slept in my own bed last night

[mikester]

I think in any environment that a proxy is almost as import as a firewall but in small environments folks can figure "what's the point?".

Well, mitigating risk saves money. IF the general populace can't get to the internet - well that is even better than a firewall and a default deny.

You also save on folks having carte blanche access to the internet and their various P2P apps that they don't need to run at work on company bandwidth. Using a proxy for http/https/ftp traffic means that you control what happens a lot more and that control mitigates a significant risk. Viruses are nasty little buggers and a simple AV projects is not enough.

Beyond the proxy is a firewall of course with DMZs setup for the proxy to sit in. Then you simply control access to the proxy to the corporate network and give the proxy access to the external internet via a select group of ports.

I am our network security specialist at the global company I work for and I have worked as such at a number of different types of organizations from government to ecommerce to large corporate manufacturing (at present).

Security is not cheap on the large scale but you can mitigate risk by taking a number of inexpensive steps.

[masraum]

Thanks. I'm going to try to sell the proxy. As soon as it was mentioned I had a head-slap moment. Several times I've gotten requests to setup static NAT and open holes from the internet to servers that aren't on the DMZs, and I always tell them "no way in hell". It only makes sense. Never have traffic go from the internet to the inside. Traffic should always go from inside to DMZ or outside to DMZ, but never inside to outside. It never clicked that we've got 2500 idiots with admin access doing whatever they want from the inside to the outside. Makes me shudder just to think about it.

[stealthn]

Sorry gonna rock the boat here, but if it's a new install; ALWAYS deny first and permit after. The benfits over an above tighter security:
- You make the users/BA/Developers understand their applications better
- If you have an outbreak (inside, which is more likely than a pen outside) you can prevent the "call homes" or reverse DOS saving you from a law suit.
- SOX and other compliancy checks will fail you for not denying.

The best is to have defense in depth, router on inside doing routing and traffic shaping, firewalls doing rule enforcement, and router on outside policing traffic to prevent DOS's etc.

Good luck

[masraum]

Thanks. It's no where near a new install, and I do have some things to add to the beginning that are deny. I think the security will require a pretty thorough refresh. We've got most of the hardware. It's just not implemented well. I've done some basic clean-up, but they've had me doing other stuff since I started last year. Since I started I've been saying that the security is non-existent. Now all of a sudden, they are fast and furious on getting the security into shape.

[jeffgrant]

First thing I would do is perform a Threat Analysis, and use that to set the business policies. Get them signed off by the Powers That Be. Clearly spell out what things you are protecting yourselves against, and what you're not. Management wants everything, but never wants to spend the money required for it. If/when **** goes wrong, they won't understand that, they'll just point fingers.

Then take that and implement it using the appropriate hardware/software and design. Be sure to implement the required changes in end-user policies, etc.

Are you a small start-up selling a simple widget, or are you a bank doing international banking transactions? Are you a marketing company, or are you hosting an online service? All of these have different requirements.

Too many people just start implementing network security for the sake of implementing network security.

And be sure to include proper monitoring and logging as part of that security.


And remember, good security is part of the design, not a bolt-on or after-thought.


Again, it all depends on what you want, what you need, and what you can afford to do (cash, time, effort, etc).

[KaptKaos]

Quote:

Originally Posted by masraum

2500 idiots with admin access doing whatever they want from the inside to the outside.

Of course I assume you mean local admin, but geez that bad enough!

One outbreak and kiss your job goodbye. The first "consultant" that comes in to review the aftermath will see this and you will be out faster than you can imagine!

You are the tool. Management makes the decisions. Give them the information and make them decide how to wield the tool. Cover your arse with the documentation of their decisions and your notifications to them of such.

I wouldn't let another day go by that I didn't tell the CIO, COO or other such officer of the risks of having 2500 users with local admin rights.

[masraum]

Quote:

Originally Posted by KaptKaos

Of course I assume you mean local admin, but geez that bad enough!

One outbreak and kiss your job goodbye. The first "consultant" that comes in to review the aftermath will see this and you will be out faster than you can imagine!

You are the tool. Management makes the decisions. Give them the information and make them decide how to wield the tool. Cover your arse with the documentation of their decisions and your notifications to them of such.

I wouldn't let another day go by that I didn't tell the CIO, COO or other such officer of the risks of having 2500 users with local admin rights.

Fortunately, that's on someone else's butt, not mine. And yes, it'l local admin access.

Also, we have a "Security team" and I'm not on it. They are the policy makers. So if this goes south, it's not really on my head. I'm just the voice of reason coming in telling folks how bad things are and that something needs to be done.

[masraum]

Do any of you gents have recommendations for proxy servers? What proxy servers do you use?

Thanks

[mikester]

squid

[masraum]

Ouch, I was afraid someone would say that. Our Security guys aren't that technical. They'd have to hire someone to manage it.