The default security policy is based on generally accepted security
practices and has these characteristics.
All access is denied except those permitted by the policy.
Outgoing from the zone:
- These are on by default:
- TCP/UDP port 53 (DNS)
- UDP port 119 (NTP)
- These must be requested, and requests will normally be granted:
- TCP ports 21/22 (FTP)
- TCP port 22 (SSH)
- TCP port 23 (Telnet)
- TCP port 25 (SMTP), if the sending address is properly registered
in the DNS
- TCP ports 80/443 (HTTP/HTTPS)
- TCP/UDP port 161 (SNMP)
- TCP/UDP port 162 (SNMP Trap)
- ICMP Ping
- Traceroute
- These will normally not be granted:
- TCP/UDP port 135 (RDC)
- TCP/UDP port 137-139 (NetBIOS)
- TCP/UDP port 445 (Microsoft DS)
- TCP/UDP port 1433 (SQL Server)
- TCP/UDP port 6660-6670 (IRC)
Incoming to the zone:
- These are on by default:
- These must be requested for individual destinations, and requests
will normally be granted:
- TCP ports 21/22 (FTP), if the source is from a limited range
- TCP port 22 (SSH), if the source is from a limited range
- TCP port 25 (SMTP), if there is a mail server host properly
registered in the DNS; Executive Branch mail servers should only be
able to receive mail from the anti-spam network block.
- TCP ports 80/443 (HTTP/HTTPS), if there is a web server host
properly registered in the DNS
- TCP/UDP port 161 (SNMP), if the source is from a limited range
- TCP/UDP port 162 (SNMP Trap), if the source is from a limited range
- ICMP Ping
- Traceroute
- These will normally not be granted:
- TCP/UDP port 135 (RDC)
- TCP/UDP port 137-139 (NetBIOS)
- TCP/UDP port 445 (Microsoft DS)
- TCP/UDP port 1433 (SQL Server)
- TCP/UDP port 6660-6670 (IRC)
Other openings can be requested and will be reviewed on a
case-by-case basis.
Exceptions to the above will be implemented only after explicit
confirmation by the requestor and after documenting the exception and
the warning.
