Security Basics mailing list archives
Re: Unrestricted Outbound Web Server Access Opinion
From: Mark Leonard <mark () mjleonard com>
Date: Wed, 04 May 2005 08:48:37 -0600
Paul Guibord wrote:
Someone within our company wants our Internet facing web servers to have unrestricted outbound access. Port 80 is the only port permitted from the outside coming in.
Have they provided a reason for unrestricted outbound access? If they wanted specific ports opened, I could understand that - but unrestricted access makes me think that they aren't really sure of their own requirements.
I need the experts opinion why we do not want to permit this PLEASE. Two things I could think of are if the web servers were compromised, then the hacker would have the ability offload any data they want. Another being if they were infected with a worm they would bring down the Internet T1 in their attempt to find other devices to infect.
You seem to be on the right track already. I've seen these two things happen in the past, and it's not fun. The risk of this happening can become very high if the webservers are using third-party PHP scripts or CGI that aren't audited. In the end, this is a management/policy decision. If the machine is compromised, what is the cost of the potential harm that would come of it having unrestricted outbound access? I'm curious to hear how other admins would deal with this situation. Typically, I've dealt with this sort of problem with a potential cost vs. benefit type of analysis. Hope that helps, ttyl mark
Current thread:
- Unrestricted Outbound Web Server Access Opinion Paul Guibord (May 03)
- Re: Unrestricted Outbound Web Server Access Opinion Jon Hart (May 04)
- RE: Unrestricted Outbound Web Server Access Opinion David Gillett (May 05)
- Re: Unrestricted Outbound Web Server Access Opinion David Glosser (May 05)
- RE: Unrestricted Outbound Web Server Access Opinion Hamish Stanaway (May 05)
- RE: Unrestricted Outbound Web Server Access Opinion Micro Kluge (May 05)
- Re: Unrestricted Outbound Web Server Access Opinion Diego Kellner (May 05)
- Re: Unrestricted Outbound Web Server Access Opinion Mark Leonard (May 05)
- RE: Unrestricted Outbound Web Server Access Opinion Keenan Smith (May 10)
- Re: Unrestricted Outbound Web Server Access Opinion Chris Keladis (May 11)
- <Possible follow-ups>
- RE: Unrestricted Outbound Web Server Access Opinion Andrew Shore (May 05)
- Re: Unrestricted Outbound Web Server Access Opinion Jon Hart (May 04)