[OPLINTECH] Firewall configuration question

Chad Neeper cneeper at level9networks.com
Sat Jun 27 11:40:33 EDT 2015


Strictly talking about network perimeter firewalls here, not personal
firewalls like Windows Firewall or the like:

Network perimeter firewall configuration best practice suggests that
blocking should occur in both directions by default, with exceptions being
made as required. That means no network traffic INTO the network...AND no
traffic OUT of the network without specific exceptions being made.

By default, however, most SOHO and mid-level firewalls come configured to
block all inbound traffic but PERMIT all outbound traffic. This is a much
easier configuration for novice firewall admins to work with because it
doesn't prevent LAN computers from doing anything at all that they care to
do.

On my own business network, I block all in and outbound traffic and make
exceptions as required. However, I haven't implemented outbound blocking at
any library yet. I'm considering it.

If I do implement, I think I could only realistically do it for staff LANs.
Those are the most controlled environments, with known applications doing
known things.

I don't think it would be wise to try to implement for patron computer LANs
or for patron wifi though. There is just no way to know what exceptions to
make for every use case. I could make exceptions to let Roblox or Minecraft
work, but it would be a constant battle to keep up on all the latest
popular software and their individual requirements.

So my (first) question is simply this:  Do any of you currently block
outbound network traffic on any segment of your LAN?

Thanks,
Chad

___________________________________
Chad Neeper
Senior Systems Engineer

Level 9 Networks
740-548-8070 (voice)
866-214-6607 (fax)

Full IT/Computer consulting services -- Specialized in libraries and schools
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20150627/5f7f1d1c/attachment.html>


More information about the OPLINTECH mailing list