dxbdxb2009
asked on
Firewall Policy...
Hi EEs,
We have to install the network firewall, (Fortigate) for which I have to give a small check list to my vendors before starting the implementation,
Here with i am enclosing one small checklist for you experts to comments & advice me on it.
Kindly add if these are okay or if you experts can advice more...
thanks in advance...
Firewall-Checklist-ee.docx
We have to install the network firewall, (Fortigate) for which I have to give a small check list to my vendors before starting the implementation,
Here with i am enclosing one small checklist for you experts to comments & advice me on it.
Kindly add if these are okay or if you experts can advice more...
thanks in advance...
Firewall-Checklist-ee.docx
There is nothing called an universal firewall rule. Rules are based on corporate policies usually some security audit guidelines. Seeing the list looks like it's an amalgamation from different sources. The points can go upto well beyond 100.
However, you might need to check the list of locked Ip's and services because they list many ports which we keep generally open. You blocked private range entirely, multicast IP's, FTP, ssh.telnet etc. You should discuss with the vendor about your design and the required filtering of traffic.
It's looking too much formal and probably unworkable to me. If you apply your list, it will block everything.
Generally the vendors should be able to give you a small checklist to start with and gradually it should be built up as per the need.
Best,
Best,
However, you might need to check the list of locked Ip's and services because they list many ports which we keep generally open. You blocked private range entirely, multicast IP's, FTP, ssh.telnet etc. You should discuss with the vendor about your design and the required filtering of traffic.
It's looking too much formal and probably unworkable to me. If you apply your list, it will block everything.
Generally the vendors should be able to give you a small checklist to start with and gradually it should be built up as per the need.
Best,
Best,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@ surbabu140977 ;
"an universal firewall rule...." agreed, but can you share some link where i can see some example of such rule which can be opted for mine,
" You blocked private range entirely, multicast IP's, FTP, ssh.telnet etc......." what all i need to consider to be blocked....pls advice..
--------------------------
@ Soulja : thanks for your reply...
you are correct this is going to be at edge of this network...
Kindly share any good links of the port I must block for all incoming traffic ....would really appreciate...
i think we even no need of allowing http/https; as we don't have any web server at all,
for VPN, yes we must open for incoming traffice as we will have some VPN users,
good advice for SSH...will put one note for vendor to consider SSH, thanks,
-Yes you will want to block the private and not routables from coming inbound to the firewall = meaning non of incoming packate will be allowed from outside the network with private IPs (including...10x.x.x / 172.16.x.x / 192.168.x.x) Correct?
-Don't allow telnet, use SSH only = Noted, thanks
-Don't allow FTP unless you are using SFTP = Noted this as well,
Can you advice If I can just host SFTP directly on my SAN (NetApp FAS 2240)? so this way i will not have to keep additional windows FTP server,
"an universal firewall rule...." agreed, but can you share some link where i can see some example of such rule which can be opted for mine,
" You blocked private range entirely, multicast IP's, FTP, ssh.telnet etc......." what all i need to consider to be blocked....pls advice..
--------------------------
@ Soulja : thanks for your reply...
you are correct this is going to be at edge of this network...
Kindly share any good links of the port I must block for all incoming traffic ....would really appreciate...
i think we even no need of allowing http/https; as we don't have any web server at all,
for VPN, yes we must open for incoming traffice as we will have some VPN users,
good advice for SSH...will put one note for vendor to consider SSH, thanks,
-Yes you will want to block the private and not routables from coming inbound to the firewall = meaning non of incoming packate will be allowed from outside the network with private IPs (including...10x.x.x / 172.16.x.x / 192.168.x.x) Correct?
-Don't allow telnet, use SSH only = Noted, thanks
-Don't allow FTP unless you are using SFTP = Noted this as well,
Can you advice If I can just host SFTP directly on my SAN (NetApp FAS 2240)? so this way i will not have to keep additional windows FTP server,
You got the approach in a totally wrong way........ you are trying to generalize something which you think can be applied. Please do not "think". Firewall rules are a requirement and should by guided by a definite policy with a business requirement.
If you are a business guy, define your business goal and let the IT person design it for you.
If you are an IT guy, outline your IT business needs and let a security guy do it for you..
You do not get a security config in any forum.
Below is a standard and accepted guideline from the NIST, USA that should help you a bit. Please note actual implementations may vary widely as per the requirement compared to what is defined in the guideline.
http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf
Best,
If you are a business guy, define your business goal and let the IT person design it for you.
If you are an IT guy, outline your IT business needs and let a security guy do it for you..
You do not get a security config in any forum.
Below is a standard and accepted guideline from the NIST, USA that should help you a bit. Please note actual implementations may vary widely as per the requirement compared to what is defined in the guideline.
http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf
Best,
ASKER
@Soulja:
I assume this firewall will be on the edge of your network = Yes it is
you will want to block most of those ports for inbound traffic = Yes; you are correct,
Anything specific to be consider for bocking & allowing...pls comment on it...
--------------------------
@ surbabu140977 : thanks for the above link...
would really appreciate if you can provide me some more like including some good templates/examples...
many thanks in advance..
I assume this firewall will be on the edge of your network = Yes it is
you will want to block most of those ports for inbound traffic = Yes; you are correct,
Anything specific to be consider for bocking & allowing...pls comment on it...
--------------------------
@ surbabu140977 : thanks for the above link...
would really appreciate if you can provide me some more like including some good templates/examples...
many thanks in advance..
ASKER