I was doing a review of some firewall policies and noticed the company I am consulting for is allowing all applications risk 1 through 3 from their trust to untrust zones. Not sure why it's setup that way yet, but in doing so, SMB traffic is alllowed out.
I want to immediately put a control in that blocks SMB traffic outbound. Is it recommended to create the policy using only ports, tcp/udp port 445, or should I block via SMB application? My thought is block via ports, but I'll do whatever is the recommended way.
What about tcp/udp port 137 and 139? Should these also be added to the blocked 'from trust to untrust' rule?
I'm curious to what you all are doing.
They are not mutually exclusive. You can do both. Just leave the rule where you define application SMB, set to application 'any', so if SMB is used evasively through different ports, it can also be blocked.
Not sure I'm following your response. Do you mean if you choose SMB for application, set the Service to Any?
Is it common practice to create multiple rules to block SMB?
Yes, SMB for application, Service to Any.
Not sure what common practice is, but some environments require that *no* packets leave out on specific ports.
The app-id engine needs to allow a few packets through before it identifies the application, so if you go solely with an app-id rule, a few packets will always leave the firewall before there's a block action enforced.
We have a strict deny all allow by exception policy at our company. So we only allow appplications/ports/urls etc., based on approval from the executives. If you are looking to block traffic, start with the logs and see what is being allowed out and start blocking on it. The ACC tab can help you with this as well.
As for writing policies, I try to use applications rather than actual ports.
Hope that helps.
Risk 1 through 3 from their trust to untrust zones is not a great way to allow traffic to the Internet.
There are 58 pages of applications when I look at this on my firewall.
I found this out the hard way when someone set this up for our guest networks and we had a big netbios attacks launch from a rogue machine on our network. Whittle it down to what you actually need.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!