Manualshelf

User guide

ManualsBrandsWatchguard ManualsComputer equipmentFirebox X1000
101102103104105106107108109110
Chapter 8: Configuring Filtered Services
94 WatchGuard Firebox System
Selecting Services for your Security Policy Objectives
The WatchGuard Firebox System, like most commercial firewalls,
discards all packets that are not explicitly allowed, often stated as “that
which is not explicitly allowed is denied.”
This stance protects against attacks based on new, unfamiliar, or obscure
IP services. It also provides a safety net regarding unknown services and
configuration errors which could otherwise threaten network security.
This also means that for the Firebox to pass any traffic, it must be
configured to do so. You must actively select the services and protocols
allowable, configure each one as to which hosts can send and receive
them, and set other properties individual to the service.
Every service brings tradeoffs between network security and accessibility.
When selecting services, balance the needs of your organization with the
requirement that computer assets be protected from attack.
Incoming service guidelines
Enabling incoming services creates a conduit into your network. The
following are some guidelines for assessing security risks as you add
incoming services to a Firebox configuration:
A network is only as secure as the least secure service allowed into it.
Services you do not understand should not be trusted.
Services with no built-in authentication and those not designed for
use on the Internet are risky.
Services that send passwords in the clear (FTP, telnet, POP) are very
risky.
Services with built-in strong authentication (such as ssh) are
reasonably safe. If the service does not have built-in authentication,
you can mitigate the risk by using user authentication with that
service.
Services such as DNS, SMTP, anonymous FTP, and HTTP are safe only
if they are used in their intended manner.
Allowing a service to access only a single internal host is safer than
allowing the service to access several or all hosts.
Allowing a service from a restricted set of hosts is somewhat safer
than allowing the service from anywhere.