We enforce whitelist-based L4 filtering on most student/guest WLANs at the AP, allowing the usual 53/67/68/80/443 and a few others, while blocking the rest. Most of the time this works, but more frequently I find this breaks some new app/service and we need to whitelist arbitrary port(s), which are not always documented.
I think we do this based on historical precedent, looking to cut down on stuff like torrents/viruses/etc. But my sense is these days it's better to just firewall off access to private/secure networks at L3 and leave L4 alone, and let our NGFW do what it does best. Have I missed something?
No comments:
Post a Comment