Educause Security Discussion mailing list archives
Re: Firewall Upgrade
From: Nathaniel Hall <educause-lists () NATHANIELHALL COM>
Date: Fri, 14 Feb 2014 14:00:53 -0600
The way I used to handle this situation was to block all outbound email at the firewall unless it was destined to the anti-spam system that sat in the DMZ. Then, in that system, I blocked all relaying of email unless there was an authenticated connection via SSS/TLS or if the system was in an IP based allow list (for printer/copier/faxes or other similar devices). This setup caused a little bit of pain until our User Support group understood which cases needed which configuration. With relaying the mail for those devices through the anti-spam system, the messages still got scanned for spam and viruses. -- Nathaniel Hall On 2/14/2014 1:50 PM, randy wrote:
I know this is a silly question but from what I'm reading on this thread, we're talking about putting an SMTP block on ALL outbound email? I hope that's not the case because that doesn't make any sense. How do you distinguish between legit and bad outbound traffic? IMHO, the only value a FW has these days is to block unsolicited inbound connections. Using a combo of devices like PA, FireEye(my favorite), Stonesoft, Snort, etc in combo with subscribing to some sort of threat intelligence services (Fireeye, secureworks, etc.) to monitor outbound traffic is more effective. SMTP servers are embedded in all sorts of devices ranging from printers, copiers and scanners. Effective patch mgt solutions like BigFix etc are proving to be more effective in halting malware infections that manage to make it past the IDS/IPS sensors. Yes, the malware got loaded on the target but it needs to exploit a hole in a software component and if that hole was patched effectively, the net result is the machine wasn't compromised. Blocking the outbound communication to a controller is key. It's hard but the technology is getting better. Network Security Monitoring aka Continuous Monitoring of outbound traffic seems to be the more effective solution. -Randy Marchany VA Tech IT Security Office and Lab.
Current thread:
- Re: Firewall Upgrade, (continued)
- Re: Firewall Upgrade Chris Davis (Feb 14)
- Re: Firewall Upgrade Ben Parker (Feb 14)
- Re: Firewall Upgrade Mike Osterman (Feb 14)
- Re: Firewall Upgrade Ian McDonald (Feb 14)
- Re: Firewall Upgrade Mike Osterman (Feb 14)
- Re: Firewall Upgrade Roger A Safian (Feb 14)
- Re: Firewall Upgrade Pete Hickey (Feb 14)
- Re: Firewall Upgrade Mike Osterman (Feb 14)
- Re: Firewall Upgrade Derek Diget (Feb 14)
- Re: Firewall Upgrade randy (Feb 14)
- Re: Firewall Upgrade Nathaniel Hall (Feb 14)
- Re: Firewall Upgrade Mike Osterman (Feb 14)
- Re: Firewall Upgrade Mike Osterman (Feb 14)
- Re: Firewall Upgrade Ben Parker (Feb 14)
- Re: Firewall Upgrade Mike Osterman (Feb 14)
- Re: Firewall Upgrade Mark Rogowski (Feb 14)