Outgoing Service Guidelines - Watchguard Firebox X1000 User Manual

• Services that send passwords in the clear (FTP, telnet,
POP) are very risky.
• Services with built-in strong authentication (such as
ssh) are reasonably safe. If the service does not have
built-in authentication, you can mitigate the risk by
using user authentication with that service.
• Services such as DNS, SMTP, anonymous FTP, and
HTTP are safe only if they are used in their intended
manner.
• Allowing a service to access only a single internal host
is safer than allowing the service to access several or all
hosts.
• Allowing a service from a restricted set of hosts is
somewhat safer than allowing the service from
anywhere.
• Allowing a service to the optional network is safer than
allowing it to the trusted network.
• Allowing incoming services from a virtual private
network (VPN), where the organization at the other
end is known and authenticated, is generally safer than
allowing incoming services from the Internet at large.
Each safety precaution you implement makes your net-
work significantly safer. Following three or four precau-
tions is much safer than following one or none.

Outgoing service guidelines

In general, the greatest risks come from incoming services,
not outgoing services. There are, however, some security
risks with outgoing services as well. Control of outgoing
services helps to protect your network from hostile acts
within your organization. For example, when configuring
the outgoing FTP service, you can make it read-only and/
or restrict the destination hosts that can receive such a
transmission. This prevents insiders from using FTP to
transmit corporate secrets to a home computer or to a rival
organization.
User Guide
Selecting Services for your Security Policy Objectives
115