RE: Blocking MS Blaster --> filter outbound access

[Frank Knobbe <frank () knobbe us>]

On Fri, 2003-08-15 at 20:17, Dave Killion wrote:
> You really only need 135 blocked inbound to prevent msblast, but all of
> those ports you've closed need to be closed for other reasons.  Really,
> all ports inbound should be blocked, except for those specific services
> you serve (and those ports monitored and servers kept patched).

I can't agree more :)

> You have 2 ports for msblast backwards, however - both 69 and 4444 are not
> inet-lan, but lan-inet.  Once infected, the worm uses those ports to go
> *out*.  If you get hits on those rules, something very bad has happened.

I think this is a great opportunity to emphasize (again) that the
"block-all-allow-required" ruleset/mindset should also be applied to
outbound connections on your firewalls. Or perhaps allow outbound access
only for authenticated users. That way worms, viruses and hackers
spawning reverse shells don't get out to the Net, causing security risks
and liabilities for your company.

(Perhaps I'm just getting too tired of unrestricted outbound access
during pentests... :)   

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part