Firewall Wizards mailing list archives

Re: outbound traffic security risk

From: Holger Kipp <Holger.Kipp () alogis com>
Date: Tue, 23 Mar 2004 15:13:48 +0100

On Tue, Mar 23, 2004 at 08:50:12AM +0000, Hilal Hussein wrote:

Dear List,

I would like to ask about the risk of opening outbound port traffics in the 
firewall.

currently, i am opening the outbound ports traffic based on the user 
request, as pop3, and smtp traffics. I red about some risk that could be in 
some kind of outbound traffics which might pass java scripts, or trojan 
horses, or other kind of attacks during the opened session from users 
(inside the network) to the outbound.


allowing outbound traffic also allows answers to come back. easiest example
is http. you allow outbound traffic which requests several files. depending
on the OS of the client, this might be sufficient to get a trojan installed
on the client inside the protected network.

trojans can then use one of these open ports to connect to the outside world
to transmit any data or even allow external crackers to send commands to 
the infected client.

risk can be mimimised, eg 
- by restricting outgoing connections to specific servers
- by using a proxy and not allowing clients direct access
- redirecting all traffic (if applicable) through a virus scanner,
  eg ftp, http, email
- use virus scanners etc on all clients
- use clients that are
  - easy to maintain and upgrade
  - don't allow users to install their own software
  - are not easily compromised
- don't allow direct access
  - system in DMZ is accessing external sources, clients can
    access this system only for viewing (eg using vnc, X)
- applications that are put on the clients are first thoroughly
  tested.
- scan internal network (especially the gateway) for illegal requests. If you
  are using a proxy for http/https/ftp, only allow some ports (see squid for
  example) and check if other ports are also requested. This might be an 
  indication of an internal system being compromised.

For specific tasks you might consider a specially hardened client system
within the dmz.

Depending on the security level you want this might be very expensive.
YMMV.


Regards,
Holger Kipp
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

outbound traffic security risk Hilal Hussein (Mar 23)
- Re: outbound traffic security risk Paul D. Robertson (Mar 23)
- Re: outbound traffic security risk Holger Kipp (Mar 23)
- Re: outbound traffic security risk Don Kendrick (Mar 23)
- Re: outbound traffic security risk Don Kendrick (Mar 24)
- <Possible follow-ups>
- Re: outbound traffic security risk Mitchell Rowton (Mar 23)
  - Re: outbound traffic security risk Devdas Bhagat (Mar 23)
- Re: outbound traffic security risk Mitchell Rowton (Mar 24)
- Re: outbound traffic security risk Devdas Bhagat (Mar 24)