Re: Unrestricted Outbound Web Server Access Opinion

[Chris Keladis <chris () cmc optus net au>]

Also, if abusing a *overflow vulnerability an attacker can get a 
connect-back shell to further exploit the machine, where the inbound 
policy may not allow it.

Not to mention when folks discover they can surf from the machine they 
will use it and pick up all manner of *ware.

Generally a bad idea<tm>.




Cheers,

Chris.

Keenan Smith wrote:

> Wouldn't unrestricted outbound access allow a compromised server to be
> used to launch all sorts of attacks against others?
>
> At the very least, that could result in substantial negative PR 
>
> Keenan
>
> -----Original Message-----
> From: Paul Guibord [mailto:pguibord () tngtech net] 
> Sent: Tuesday, May 03, 2005 8:55 AM
> To: security-basics () securityfocus com
> Subject: Unrestricted Outbound Web Server Access Opinion
>
>
>
> Hello All,
>
> Someone within our company wants our Internet facing web servers to have
> unrestricted outbound access. Port 80 is the only port permitted from
> the outside coming in. I need the experts opinion why we do not want to
> permit this PLEASE. Two things I could think of are if the web servers
> were compromised, then the hacker would have the ability offload any
> data they want. Another being if they were infected with a worm they
> would bring down the Internet T1 in their attempt to find other devices
> to infect.
>
> Thanks in advance for everyone's input.
>
> Paul