RE: Open All Outbound Ports?

[Louis Erickson <LErickson () ariba com>]

By using a proxy at your NAT gateway, you can allow passive ftp from inside
the firewall to work properly.  You need more than port mapping to do it,
but it can be done.  OpenBSD and Linux's firewalls both do this
transparently, I believe, at least for people inside trying to use FTP to
the outside.  It doesn't allow FTP back in, or didn't last time I tried.

I will admit that my personal network (nothing to do with Ariba, who's
network configuration I don't know, and don't care as long as the things I
need to do work properly) has all outbound ports open, via NAT.  Incoming is
heavily filtered, but once you're in, you can connect to anywhere.  I'm too
lazy for myself and the other users of my resources to try and specifically
allow anywhere they might connect to.  (In this case irc, muds, online games
and such which tend to have ports all over the map as well.)  To help limit
this, I make sure my (very small group of) users is educated about what not
to do, and insist upon good virus scanning software.  So far, so good.

While I do see the risks inherent with this, I don't know a good way around
it that will allow people to use all the myriad and unusual pieces of
software they want to use.  There's a risk assessment you have to do, and to
decide what you solve through technology, and what you solve through policy.
If you can't trust your staff to follow policy, that's a different problem
that no technology will ever be able to solve.

I also suspect that there are a lot of networks that allow any outbound
connection from the private LAN, despite the misgivings of their security
staff.  Again, it's risk management and assessment; yes, it's risky, but not
doing it irritates the other thousand people at the company, or even
prevents them from doing their work successfully - what choice will
management make?

Sometimes they do choose security; I was at a large computer company where I
had to work from home; the corporate firewall wouldn't allow me to connect
to our customer's sites the ways I needed to, and they wouldn't budge on
opening ports.  We also had to use application level FTP and Telnet proxies,
and to set the web proxy in our browsers; I don't think they allowed any raw
network packets across.  So, I had to work from home, and they covered part
of my DSL.  They had decided security was worth that cost in the few cases
where the employee could really justify it.  I later discovered that this
was not common to the whole company, and only done at sites where they did
work requiring government classifications; it was quite a shock to traveling
employees that instant messaging didn't work.

Other times they don't, and you have to be ready to cope with that.  Make
sure they understand it's a decision they're making, and that they may have
to live with the consequences, and do what you have to do.


> -----Original Message-----
> From: Chris Alliey [mailto:calliey () bellatlantic net]
> Sent: Wednesday, November 13, 2002 8:44 PM
> To: Chris Berry; security-basics () securityfocus com
> Subject: RE: Open All Outbound Ports?
>
>
>
> I know I don't have all the expertise that a lot of the 
> people on this list
> probably have - so PLEASE take it easy on me for responding to this.
>
> I too have had a 'network engineering' team make this 
> suggestion, and get it
> passed (over my objections).  Even though I brought up a lot 
> of the reasons
> already mentioned (security, DDOS zombies, Kazaa, limewire, ....),
> executives allowed them to open the ports out -- because they are the
> 'network security experts' in our company.  I never agreed 
> with it, but one
> of their reasons to open this was passive FTP.  Their reason 
> was a lot of
> the sites that were visited used Passive FTP, that randomly 
> uses any port
> above port 1024.
>
> Can anyone comment on this?  This never sat well with me, and I really
> didn't like it when vendors who brought laptops into our environment -
> discovered this, after only 1 week on site :-(    As a server 
> engineer, I've
> had to deal with the NIMDA and other worms/virii/....  as you 
> can guess,
> that was a little worrisome.
>
> Chris
>
>
>
>
> -----Original Message-----
> From: Chris Berry [mailto:compjma () hotmail com]
> Sent: Monday, November 11, 2002 4:03 PM
> To: security-basics () securityfocus com
> Subject: Re: Open All Outbound Ports?
>
>
> > From: tony tony <tonytorri () yahoo com>
> > Our firewall group has came to me several times over the 
> last few >months
> > wanting my approval to open all of the "OUTBOUND" ports on 
> our >firewall
> > facing the internet.
>
> Not a good idea.  One of the most important things during a 
> security breach
> is to keep the attacker from using your platform as a staging 
> ground.  By
> preventing them from commincating freely, you greatly retard their
> capabilities.  For example, a trojan will probably try to 
> "phone home" and
> if you have blocking set up this will show in your logs.  By 
> opening all
> your outbound ports you're just asking to be a DDOS zombie, warez ftp
> server, etc.
>
> > Their argument is that this would not >significantly reduce 
> our >security
>
> Not true, just like a military base its important to know 
> what is going out
> as well as what is coming in.
>
> > and it will reduce their time/effort in administration.
>
> Possibly true, although the amount of time it takes to open a 
> set of ports
> can't be very long.
>
> > They claim they get several requests a week to open up out 
> bound ports >and
> > the number keeps growing each month.
>
> How can this be true, this would make me highly suspicious, I 
> would want a
> record of all the ports they've opened over the last three 
> months and what
> programs/services they opened them for.  I mean unless you 
> guys are going
> through some kind of major upgrade cycle their should be 
> little or no change
> in your port list on a monthly basis.
>
> > They want to go for the gusto...and >open up all 65,000+ 
> outbound ports.
> > I am in the security area and they want my agreement/sign 
> off before >they
> > do this.  It just does not "feel/smell right" but I am 
> losing >ground with
> > my arguments.  What are some good arguments I can use?
>
> Not only would I not sign off on this, I'd launch an 
> investigation into
> their procedures, something definitely doesn't feel right 
> here.  I would
> suspect that they are allowing traffic that they shouldn't be 
> just because
> someone asked for it.  Kazaa for example.
>
> Chris Berry
> compjma () hotmail com
> Systems Administrator
> JM Associates
>
> "And here in our server room you can see our Beowolf Cluster 
> of C64's that
> keeps our enterprise on the very cutting edge of technology."
>
> _________________________________________________________________
> The new MSN 8: smart spam protection and 2 months FREE*
> http://join.msn.com/?page=features/junkmail