Wondering if anyone had a common practice of which inbound ports I should block on the edge internet router that is connected to the ISP. I will block any host from the WWW to IP addresses on my L3 device, like the circuit interfaces and SVIs. I will block any incoming snmp, telnet, ntp and block all tcp and udp using those ports. Can anyone suggest more?
We'll let the FW do most of the blocking but the internet edge router will deny any snmp, telnet, and 9996 Netflow traffic from coming inbound or outbound from the edge router. The edge router is the first device, then the Firewall.
Its all varies based on the requirement, since FW is statefull, you allow from inside to outside, from outside to inside - only allowed based on the requirement,(do not allow anything is not secured) - until any specific requirement.
Yes, the Checkpoint Firewalls will do most of the blocking but the internet edge L3 switchstack sits in between the WWW and the Firewalls. Therefore, I would just need to block somethings in ACL format that will prtect the switch since it is exposed to the WWW.
We'll let the FW do most of the blocking but the internet edge router will deny any snmp, telnet, and 9996 Netflow traffic from coming inbound or outbound from the edge router. The edge router is the first device, then the Firewall.
Thanks all...
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
