Post a Reply
Back to the Forum
Anything can be 'spoofed'
I would say it's is never a good idea to open it completely.
Just open the ports you need.
I would say it's is never a good idea to open it completely.
Just open the ports you need.
Posted: 10:48 Oct 21 2004
Firewally Question
Got a quick query for anyone whose good with firewalls (you know who you are 
Say I trust this network completely: 172.64.22.0/24 - is it still a bad idea to open up all incoming ports to any ip from inside this network? Ie, can someone spoof coming from that network etc?
I suspect that it *is* a bad idea, but I want to be sure.
Say I trust this network completely: 172.64.22.0/24 - is it still a bad idea to open up all incoming ports to any ip from inside this network? Ie, can someone spoof coming from that network etc?
I suspect that it *is* a bad idea, but I want to be sure.
3 Replies and 812 Views in Total.
Posted: 10:48 Oct 21 2004
Strictly speaking it is a bad idea.
The principle factor to consider is whether the other machines on that subnet are at least covered by a decent and up-to-date anti virus solution plus some sort of deployed application to deal with non-virulent malware (spyware, trojans, etc...). If those bases are covered then you should be OK, but there's still an considerable element of "internal" undesired activity which is why you shouldn't rely on your gateway firewall as you only means of security.
One other thing to conisder is whether that subnet contains any publically-accessible hosts. Unless your gateway firewall is running some sort of application-level proxy control, these machines should be separated from the main network. Otherwise if they are compromised by an external attack the pepetrator will have the means to wander around your network. By separating these hosts, you are covering your backside by ensuring that the main network is not visible.
This is why organisations are now looking to compliment their main firewall with a centrally-managed personal firewall solution. These govern the actual applications which a machine can run and can prevent a trojan (should it find it's way onto a host) from pretending to be a valid application (e.g. Internet Explorer) and which could have access to the network.
The principle factor to consider is whether the other machines on that subnet are at least covered by a decent and up-to-date anti virus solution plus some sort of deployed application to deal with non-virulent malware (spyware, trojans, etc...). If those bases are covered then you should be OK, but there's still an considerable element of "internal" undesired activity which is why you shouldn't rely on your gateway firewall as you only means of security.
One other thing to conisder is whether that subnet contains any publically-accessible hosts. Unless your gateway firewall is running some sort of application-level proxy control, these machines should be separated from the main network. Otherwise if they are compromised by an external attack the pepetrator will have the means to wander around your network. By separating these hosts, you are covering your backside by ensuring that the main network is not visible.
This is why organisations are now looking to compliment their main firewall with a centrally-managed personal firewall solution. These govern the actual applications which a machine can run and can prevent a trojan (should it find it's way onto a host) from pretending to be a valid application (e.g. Internet Explorer) and which could have access to the network.
Posted: 11:11 Oct 21 2004