1 Reply Latest reply on Apr 14, 2011 9:04 AM by allamiro

    HIPS8 FW Rule Policy - Samples/Structure/BestPractises

      Gday All,

       

      Thought I would start discussion on this. I am busy testing/creating FW Rule Policy using CAG(s) and focussing on enterprise deployment. Some organizations prefer a fairly open ruleset once their assets are on the corporate network as they are protected on the perimiter amongts other things but as soon as assets leave the trusted networks they want more strict policies applied.

       

      Internal (Corporate):

       

      In traditional network fw we normally allow specific/required traffic and deny all else. For host based fw my thinking was create specific denies with default allow all.

      - Would you agree with this? (If not explain)

      - If so, what would be a good baseline for couple of block/deny rules?

       

      External (untrusted) ie. Wifi, DSL ect:

       

      Here I would have similiar approach without default allow but rather default deny at end. My thinking was. Specific denies/block followed by Allow all OUT then default Deny All IN.

      - Would you agree with this? (If not explain)

      - Same answer as above, what would a good baseline of external asset facing denies be?

       

      Any feedback would be much appreciated.

       

      Thanks,

      Werner

        • 1. Re: HIPS8 FW Rule Policy - Samples/Structure/BestPractises

          wcoetsee wrote:

           

          Gday All,

           

          Thought I would start discussion on this. I am busy testing/creating FW Rule Policy using CAG(s) and focussing on enterprise deployment. Some organizations prefer a fairly open ruleset once their assets are on the corporate network as they are protected on the perimiter amongts other things but as soon as assets leave the trusted networks they want more strict policies applied.

           

          Internal (Corporate):

           

          In traditional network fw we normally allow specific/required traffic and deny all else. For host based fw my thinking was create specific denies with default allow all.

          - Would you agree with this? (If not explain)

          - If so, what would be a good baseline for couple of block/deny rules?

           

          External (untrusted) ie. Wifi, DSL ect:

           

          Here I would have similiar approach without default allow but rather default deny at end. My thinking was. Specific denies/block followed by Allow all OUT then default Deny All IN.

          - Would you agree with this? (If not explain)

          - Same answer as above, what would a good baseline of external asset facing denies be?

           

          Any feedback would be much appreciated.

           

          Thanks,

          Werner

          There is no right or  wrong when it comes to create a best practice its all tiled to your enviroment  HIPS is flexible to deploy across all enviroments the questions you should be asking:

           

          Internal

           

          1. How does your components work together ? functions operating systems ?   What do they access ?  Do all have the same baseline ?

          2. Divide your enviroment in to layers and groups  start with internal then sub groups like divisons and the operating systems servers work stations etc use tags to identify systems

          3. Recommended is to put some machines under test on the internal and see how the they function on a learn or adaptive mode  if the later is ok with you

           

           

          I hope that helps