Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16
  1. #11
    Master Untangler
    Join Date
    May 2010
    Posts
    280

    Default

    *and* SSL inspection, with default of inspect, not bypass. If you don't do SSL, you might as well not do anything. My opinion.

    Sent from my Pixel XL using Tapatalk

  2. #12
    Newbie
    Join Date
    May 2017
    Posts
    3

    Default

    Quote Originally Posted by sky-knight View Post
    Just make a firewall rule that says block, destination interface any-wan.

    Then start making the appropriate pass rules to make everything work. But Sky... where are your suggestions here?

    Nope, not going to get any, I'm going to get some popcorn and watch you learn the hard way why what you just asked is completely, utterly, and totally insane.
    I'm sorry I have to disagree. In my experience, in a business environment, block all is the very last rule on the firewall. Above that you put the basics. Port 80 and 443. Then you start adding as needed.

  3. #13
    Newbie
    Join Date
    May 2017
    Posts
    3

    Default

    I know your pain!
    You are on the right track.

    Here is what we did to implement a more secure firewall solution.

    First we left the rules wide open, but tracking everything.

    What this does is shows you what traffic is already there. An application aware firewall is a great help. You can see what applications your users are using.
    Now I am new to UT so this may be where I get things completely wrong.
    Stop thinking about ports. Think in terms of applications where you can.
    You don't need to open port 80. You need to allow http browsing
    You don't need to allow 443 (lots of malware uses that too) you need to have SSL inspection and allow SSL. (make sure you block invalid HTTPS Traffic also)
    You don't need to open a port for GoToMeeting you need to allow GoToMeeting.

    You want to do it this way because malware knows you are going to open 80 and 443 and 53. They will try to use them to do their evil stuff. The application filter will/should see that even though it is on port 80 it is not web browsing and drop the traffic.

    Now having said that. Create rules to support the traffic you want to allow.
    Make sure users/devices are hitting those rules.
    Create and activate the last rules - block all -

    Now wait for phone calls. As you will have to make additions and changes to smooth things out. It took us about 2-3 weeks. From then up is a just adjustments now and then.

    This is a hard road, but it is the more secure road.
    Last edited by dTardis; 05-31-2017 at 03:52 PM.

  4. #14
    Newbie
    Join Date
    May 2017
    Posts
    3

    Default

    Quote Originally Posted by JasonJoel View Post
    *and* SSL inspection, with default of inspect, not bypass. If you don't do SSL, you might as well not do anything. My opinion.

    Sent from my Pixel XL using Tapatalk
    You are correct!

  5. #15
    Master Untangler
    Join Date
    May 2010
    Posts
    280

    Default

    Only thing I will say is that having SSL Inspector default to inspect *will* break a lot of things - especially on mobile devices / mobile apps. You will be making *a lot* of ignore/bypass SSL inspector rules if you go this route.

  6. #16
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    21,311

    Default

    Quote Originally Posted by JasonJoel View Post
    Only thing I will say is that having SSL Inspector default to inspect *will* break a lot of things - especially on mobile devices / mobile apps. You will be making *a lot* of ignore/bypass SSL inspector rules if you go this route.
    And many of the ignore rules will open the flood gates to entire CDNs invalidating most of the effort.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2