Hi, I'm looking for advice on what policies i need and what screening to turn on for a Netscreen 5xp device (or Netscreens in general). Can you please confirm or refute my beliefs below and provide explanations? My network setup is very simple--one MS SBS2003 server running Exchange 2003 with 10 XP clients using one Netscreen 5xp as gateway/firewall. I'm only using trust and untrust virtual routers.
1) I only need to make "Allow" policies? All other traffic is denied by default?
Trust->Untrust to allow outbound traffic for LAN users and Server. All I need to allow on Trust-Untrust are network protocols needed: Blackberry Ent. Server, DNS, FTP, HTTP, HTTPS, ICMP-ANY, IMAP, MAIL, PING, POP3, SSH am I missing any common protocols? i think i have all the common ones
Untrust->Trust to allow Exchange server to work: HTTP, SMTP, PING
So, I only need these two "Allow" policies. I don't need any "Deny" policies since anything other than these port openings are by default denied anyway??
2) Screening??
Trust Zone Screening: I check all Screening options for Trust zone except for "Block HTTP Components" section (I want to allow users to download Java apps, .exe files, etc.). Is this correct? Any reason to NOT check off everything in Trust Zone?
Untrust zone screening: I left only the default screening options checked for the Untrust zone: SYN Flood Protection Ping of Death Attack Protection Land Attack Protection IP Source Route Option Filter **Should I check off everything in Untrust Zone or just leave these defaults? Why are these defaults?
So, that's all i have set up right now. Two "Allow" policies and screening as stated above. Any suggestions much appreciated.
