Firewall Wizards mailing list archives
RE: Blocking MS Blaster --> filter outbound access
From: Frank Knobbe <frank () knobbe us>
Date: Fri, 15 Aug 2003 22:37:11 +0000
On Fri, 2003-08-15 at 20:17, Dave Killion wrote:
You really only need 135 blocked inbound to prevent msblast, but all of those ports you've closed need to be closed for other reasons. Really, all ports inbound should be blocked, except for those specific services you serve (and those ports monitored and servers kept patched).
I can't agree more :)
You have 2 ports for msblast backwards, however - both 69 and 4444 are not inet-lan, but lan-inet. Once infected, the worm uses those ports to go *out*. If you get hits on those rules, something very bad has happened.
I think this is a great opportunity to emphasize (again) that the "block-all-allow-required" ruleset/mindset should also be applied to outbound connections on your firewalls. Or perhaps allow outbound access only for authenticated users. That way worms, viruses and hackers spawning reverse shells don't get out to the Net, causing security risks and liabilities for your company. (Perhaps I'm just getting too tired of unrestricted outbound access during pentests... :) Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Blocking MS Blaster arnaud DUPUIS (Aug 15)
- Re: Blocking MS Blaster Martin Peikert (Aug 18)
- Re: Blocking MS Blaster Martin Peikert (Aug 18)
- <Possible follow-ups>
- RE: Blocking MS Blaster Dave Killion (Aug 15)
- RE: Blocking MS Blaster --> filter outbound access Frank Knobbe (Aug 17)
- Re: Blocking MS Blaster Martin Peikert (Aug 18)