Sister CISA CISSP

Apr 1 2009   12:45AM GMT

Making it Easy For Hackers

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

How many rules do you have in your firewall? How many rules allow access directly into your network? How many rules allow ANY/ANY?

The more rules you have in your firewall rulebase, the higher your risk of allowing attackers in. I’m not talking about opening access to your webserver in the DMZ. But the rules are not linear, which many people (including some professionals) do not understand.

Firewall rules are inherited, like Access Control Rules, so that you can end up with some unintended consequences. If the ANY/ANY rule is above the tighter rules, the ANY/ANY rule will prevail. This is exactly what happened in a rulebase I looked at not too long ago. The company was not convinced until we ran a packet capture and I could demonstrate that IP addresses from Russia AND China were banging on internal IP addresses.

Allowing ingress to your internal network using any protocol is fraught with peril. Terminal Services/RDP allowed in? Somebody will be running scripts against the Administrator ID trying to log in all the time. FTP? There are too many ways to badly configure an FTP server. That’s what a DMZ is for. So is your Outlook Web Access. If any internal server is compromised, it becomes a jumping off point into the rest of your network. This goes for printers, too, which have little miniature hard drives.

ANY/ANY rules are red flags to the auditor – they tell me someone is sloppy, and hasn’t taken the time to ascertain what ports are absolutely necessary to open. Yes, we’re all busy, but think how busy you will be cleaning up after hackers. Or, worse yet, cleaning up your resume on the unemployment line.

Have a rule labeled TEMP? Put an expiration date and a contact person in the notes. If you are run over by the turnip truck, the next engineer will have a clue as to what is going on and will offer up burnt offerings in gratitude.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: