Re: Open All Outbound Ports?

[Vince Hillier <vdh () plutonium homeunix com>]

On Thu, 2002-11-07 at 20:33, tony tony wrote:
> Hi, 
>
> Our firewall group has came to me several times over the last few months
> wanting my approval to open all of the “OUTBOUND” ports on our firewall facing
> the internet.  Their argument is that this would not significantly reduce our
> security and it will reduce their time/effort in administration.  

Bas idea...  Lazyness is overcoming them, and your security will be the
cost.  What hapens when somebody opens up that pretty icon in their
email, and they see a nice little animation, yet 31337 h4x0r (mmmhmm)
takes remote control?  Time to get a new firewall group ;)

> They claim
> they get several requests a week to open up out bound ports and the number
> keeps growing each month. They want to go for the gusto…and open up all 65,000+
> outbound ports.

Are they kidding? how many ports can the open? I know it's alot of work
/initially/, but honestly, ask yourself that qeuestion.  Once a firewall
is properly configured, the maintenance is and should be minimal.

> I am in the security area and they want my agreement/sign off before they do
> this.  It just does not “feel/smell right” but I am losing ground with my
> arguments.  What are some good arguments I can use?  

You're right, it doesn't smell right, how do you know someone internal
has not planed something to take control remotely?

In the end, your job could be on the line...  if they can go above your
head and get the approval, let them.  But don't you approve it, unless
of course, you can explain why you authorized something that costed the
company "billions" of dollars.  It's always billions... even in 50
people operations... ;)


> Tony
>
>
> __________________________________________________
> Do you Yahoo!?
> U2 on LAUNCH - Exclusive greatest hits videos
> http://launch.yahoo.com/u2