Firewall Collaboration

Hey, fellow Syndicate members.

I want to know things. Things about your firewall.

What do you block? What policies do you put in place? What kind of firewall do you use? I realize you may not feel comfortable explaining every detail about your security configuration, for obvious reasons, but I feel like we should share this type of information for our mutual benefit.

I have just started setting up a new firewall, and that is what brought this topic to mind. So far I have only blacklisted a few IP addresses that I know to be Cryptowall/Cryptolocker contact points, and a few services that I do not ever want running in my network. With that being said, the current firewall solution I'm using does not have all of the features I'm used to, so it makes my setup process a bit more manual. I'm using a Cisco Meraki MX100.

Do you use a vulnerability management application or service to keep your blacklists up to date? Do you use Group Policy (if in a Windows environment) to manage user permissions on your intranet, as a kind of internal firewall?
How do you scan your outside facing IPs to make sure your protection is effective? What is the best way to secure RDP openings? What is the best way to secure Active Directory Logins without disrupting users?

Thanks for reading!

wan -> lan = drop unrelated
wan -> dmz = drop unrelated except services needed
dmz -> lan = drop unrelated
dmz -> wan = do as you please XD
lan -> wan = drop SMTP(25), NTP, DNS for all except the related servers as I run them locally, allow rest
lan -> dmz = see above

I think that's it.. not overly sophisticated but its ok for me at home. At work I may not disclose what and how we do.. sorry.. policy for the win.

I posted my firewall rules to this thread the other day, you can have a look there. Feel free to ask any questions about them if they don't make sense.

https://forum.teksyndicate.com/t/post-your-home-network-setups/97030/15?u=dexter_kane

This is the firewall on pfsense, which also runs snort and an ip blocker which blocks any ip on a block list which is updated everyday. I also have a block list on my dns server.

My mail server also runs fail2ban to block IPs after several failed login attempts.

Good answer. Thats pretty much it in a nutshell.

Matt

1 Like