[Thanks to Scott Pinzon of WatchGuard Technologies for the suggested topic and title.]
Sit down one day. Look at your firewall ruleset. Is there anything that effectively uses an "any" rule for any part of the configuration? Get rid of it.
Okay, I exaggerate. Let me start over, and let me be more specific. Most of us -- and I wrote "most" rather than "many" -- have porous firewalls. Our firewall rules are too general. I have written on this in the past (e.g., http://www.avolio.com/columns/Day8.html, http://www.avolio.com/columns/onesize.html). I also mention this in the firewalls and "tools and techniques" classes that I teach ( http://www.avolio.com/calendar.html). Why am I bringing it up again? Because the problem is so pervasive, the vulnerabilities are so real, and the fix is so simple. I'll keep this brief.
When we set up our firewall security policy, we have in the back of our heads the "Primordial Security Policy." It is a part of our thinking, and perhaps relates to some other basic mindsets inherited from Adam and Eve, in our brains since being kicked out of Eden. It is: Allow anyone "in here" to get out, for anything, but keep people "out there" from getting "in." Everyone reading this will recognize it. Now you have a name for it. Is this a good policy? Well, it is a start. But it is completely inadequate for the security needs of most of us.
The Primordial Security Policy (PSP) is useful as a starting point. It's kind of like our built-in autonomic reflex that causes us to pull our hand away from a flame without going through the bother of thinking the situation through first. The PSP tells us there is something to worry about. The PSP gets our brain's attention, but then our brains have to kick in and say, "that's all well and good, but what is the real worry, and while I am at it are there *other* things I should be concerned about?"
Your firewall of course, will differ in the details, but assuming a generic filter, here are a few suggestions for "next thoughts" for your brain.
I've just started writing a bi-monthly column for Information Security Magazine. Its title is "Just the Basics," with the tag line of "Cutting Through the Security Clutter." March's column is about IDS, entitled "Rethinking IDS," and found at http://www.infosecuritymag.com/2002/mar/columns_jtb.shtml.
I write for WatchGuard Technologies, and my 12/14/2000 "Things to Come" editorial is at http://www.avolio.com/columns/SmartCards.html.
I reprinted my 2/28/2002 searchSecurity.com column on high speed Internet access from hotels at http://www.avolio.com/columns/HighSpeedAccessinHotels.html.
May 6 and 7 in Las Vegas, Dave Piscitello, Joel Snyder, and I will again be presenting our two VPN classes, "Introduction to VPNs" and "VPN Design and Deployment." See http://www.avolio.com/calendar.html for information about these and other courses.