Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 1095 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall setup

bdb_25

Hello all,

I've got a number of laptops that staff use on and offsite on a regular basis. They're trusted users so can install software they see fit and the software on them updates regulary, such as Flash, Google stuff etc.

They have a policy set on the server, and firewall is set to block by default, this is so all new apps are flagged up and I can add them to the global policy and make sure they're not using anything too risky, rather than them being able to have an interactive policy that gets overwritten every time they update!

My question is thus:

When I get something appear in the event viewer, I "create rule" and "allow all activity" for the application for the shear simplicity of it.

Does this pose a security threat? Should I be creating a specific rule for each application to only let it access the internet in a certain manner? And would this potentially allow all inbound activity too for a possibly corrupt/infected application from an outside source?

Thanks,

Ben

:5550


This thread was automatically locked due to age.
  • 0

    Hello Ben,

    you didn't mention whether you're using checksums. Marking an application as trusted will allow it to listen for incoming connections. Of course the application is has to be designed to listen for incoming connections and even then the question is whether this could be a risk or not. Allowing only outgoing connections is not necessarily safe(r): Think of browsers - although they make only outgoing connections you can download all kinds of junk with them. Again the question is - what else can the application do?

    With the "common unavoidable risks" (aka browsers) present it might seem futile to create specific rules for certain applications. OTOH it's not wise to forgo reducing the risks just because they can't completely be eliminated. Specific rules can catch rogue activity when an application gets infected. Although checksumming and checking for modified memory (currently not available for 64bit applications) will detect many alterations there are still other ways to encroach upon an  "innocuous" application.

    So usually I try to be specific with the rules and I even review outgoing requests as some applications chatter quite a lot and not only announce their presence but also reveal one or the other information about the computer they're running on.

    HTH

    Christian         

    :5551
  • 0

    Thanks for the advice.

    Yes I do use checksums as it means I can have better control on just what they're up to. I'll have a trawl through my firewall configuration and try and create some specific rules for each application to cut down on the risk a little more.

    Ben

    :5714