I know some sites trust their servers and let the servers talk to anywhere on the Internet or internally.
Just had a thought, instead all servers should be blocked for all traffic except for business needed traffic. What about updates? The servers need to go fetch updates. (In those cases where the patches/updates are not handled in a centralized method.) Give those who are responsible for patching servers an authpf account that gives the server the permission to go get updates.
When the sysop logouts of the gateway system the rules are reverted back to a very restricted state. The nice part is that this will work 24×7 and the firewall admins need not be around to change the rules.
To further contain possible unwanted behavior, give each application owner their own ID and limit that ID to the specific IPs of the application servers.
What do you think?
What others are saying