Re: Botnets, IRC servers and firewalls?

["Victor B. Williams" <vbwilliams () essvote net>]

I block everything, explicity allow only port 80 and port 443 to our
2-3 proxy servers, port 25 to our 3 mail servers, and log everything
else...successful or not...works pretty well.  This is a firewall AND
router policy.  Only those that ask for FTP get it...and it's only for
24 hours by supervisor permission only.

It's a pretty stringent policy...most people won't like it at first. 
But when you go 2+ years without more than 5 machines total affected
by any worm or variant, people stop complaining about what a nazi you
are.


Paul Robertson said:
> Seems like we're seeing more and more botnet infections going out to
> IRC
> servers.  Granted several of these infections go to servers on
> different
> ports than the default, but a significant number of them are hitting
> servers on tcp/6667.
>
> Now that most firewalls don't proxy, it seems way too many places are
> allowing TCP straight out to any port, so long as it originates inside
> (certainly the "NAT is a firewall crowd.")  How many people routinely
> block TCP/6667, or non-allowed applications?  How many of you who
> don't
> block it do regular reports on connections initiated inside to
> external
> servers that aren't on port 80, 443, etc?
>
> I was tempted to save all the mydoom samples I got and map them back
> to netblocks to see how many were home users, and how many folks
> allowed
> SMTP straight out.  But I didn't have the patience to sort through all
> the
> messages.
>
> Firewalls are certainly capable of blocking a lot of this stuff- and I
> don't believe that the problem is just home users- am I wrong, or do
> we
> have too many places with too lax a security policy anymore?
>
> ($diety knows we've got too many content filters and AV bouncers- I'm
> about to start collecting regexps for those to add to my block lists.)
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson      "My statements in this message are personal
> opinions
> proberts () patriot net      which may have no basis whatsoever in fact."
> probertson () trusecure com Director of Risk Assessment TruSecure
> Corporation
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


"Real men don't even use monitors! I've just got a guy that can draw
real fast."

Victor Williams
Network Architect
Election Systems & Software
http://www.essvote.com
vbwilliams () essvote net
(402) 970-1100

CONFIDENTIALITY NOTICE:
This e-mail transmission and any documents, files or previous e-mail
messages attached to it may contain information that is confidential,
protected by the attorney/client or other privileges, and may
constitute non-public information. It is intended to be conveyed only
to the designated recipient(s) named above. Any unauthorized use,
reproduction, forwarding, distribution or other dissemination of this
transmission is strictly prohibited and may be unlawful. If you are
not an intended recipient of this e-mail transmission, please notify
the sender by return e-mail and permanently delete any record of this
transmission. Your cooperation is appreciated.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards