|
 | | Links |
|
|
General Rules
- Deny All is usually the best default rule
- Handle ICMP carefully, block/limit from all outside
- Fragmented packets can create DoS attacks
- Source address filtering must always base on network interface
- Always do logging, log archiving, or write to write only media
- DNS TCP 53 is only used for zone transfer, in general can block the traffic
- MSN, NetMeeting maybe better to have an application gateway because they are using dynamic ports
- Screened Host is the intranet server after firewall (after port forwarding)
- Screened Network / DMZ is the network segment after firewall
Interesting
- Dynamic Packet Filtering (for Outlook-Exchange, Windows Messenger, etc?)
- Sometimes static outbound mapping (port forwarding) maybe needed for outgoing traffic (Firewall outgoing ip always same for certain intranet IP group)
- Some firewall products can do:
- time-based filtering
- access base on username (Microsoft ISA?)
- bandwidth quota
- Intrusion detection, logging, reporting and fire an alarm. Or even dynamic adjust the policy.
- Zone transfer attempts
- Address scans
- Port scans
- Ping-of-death DoS attack attempts
-
- NAT-D (Detect) and NAT-T (Transversal) is needed to support IPSec over NAT gateways
- PPTP does not protect the IP header while IPSec do. So IPSec/L2TP need NAT-D/NAT-T at gateway.
- Any tool to evaluate Firewall effectiveness?
- ICSA Lab (certify commercial Firewall products)
|
|