User guide
Adding and Configuring Services
User Guide 95
• Allowing a service to the optional network is safer than allowing it to
the trusted network.
• Allowing incoming services from a virtual private network (VPN),
where the organization at the other end is known and authenticated,
is generally safer than allowing incoming services from the Internet at
large.
Each safety precaution you implement makes your network significantly
safer. Following three or four precautions is much safer than following
one or none.
Outgoing service guidelines
In general, the greatest risks come from incoming services, not outgoing
services. There are, however, some security risks with outgoing services
as well. Control of outgoing services helps to protect your network from
hostile acts within your organization. For example, when configuring the
outgoing FTP service, you can make it read-only and/or restrict the
destination hosts that can receive such a transmission. This prevents
insiders from using FTP to transmit corporate secrets to a home computer
or to a rival organization.
As another example, passwords used for some services (FTP, telnet, POP)
are sent in the clear. If the passwords are the same as those used
internally, a hacker can hijack that password and use it to gain access to
your network.
Adding and Configuring Services
You add and configure services using Policy Manager. The Services Arena
of Policy Manager contains icons that represent the services (filtered and
proxied) currently configured on the Firebox, as shown in the following
figure. You can choose from many filtered and proxied services. These
services are configurable for outgoing or incoming traffic, and they can
also be made active or inactive. When configuring a service, you set the
allowable traffic sources and destinations, as well as determine the filter
rules and policies for the service. You can create services to customize rule
sets, destinations, protocols, ports used, and other parameters.