[olug] VNC w/Qwest
Dave Thacker
dthacker9 at cox.net
Tue Oct 16 12:35:19 UTC 2007
On Monday 15 October 2007 23:13, Benjamin Watson wrote:
> The way I learned it, when standing up a firewall, configure it to
> block everything, then slowly open up the ports you need. When it
> comes to opening up ports, even that may be restricted to allow
> traffic between distinct IPs/MACs/Hostnames.
>
> As a person who works for the DoD, I can tell you that you need a
> strong business justification for the IA (information assurance) shop
> to open up ports on their firewall for you.
>
> I can understand allowing ICMP traffic within your private side, but
> from the outside in has been a "no no" everywhere I've worked. To
> that end, I typically find that DMZ servers are themselves configured
> not to respond to ICMP and have statically assigned IPs.
The CISP/PCI bunch are pretty picky on this as well. Your compliance plan
must include business justification for any open port.
>
Dave
More information about the OLUG
mailing list