Security Basics mailing list archives
Re: Open All Outbound Ports?
From: "Chris Berry" <compjma () hotmail com>
Date: Mon, 11 Nov 2002 13:03:19 -0800
From: tony tony <tonytorri () yahoo com>Our firewall group has came to me several times over the last few >months wanting my approval to open all of the OUTBOUND ports on our >firewall facing the internet.
Not a good idea. One of the most important things during a security breach is to keep the attacker from using your platform as a staging ground. By preventing them from commincating freely, you greatly retard their capabilities. For example, a trojan will probably try to "phone home" and if you have blocking set up this will show in your logs. By opening all your outbound ports you're just asking to be a DDOS zombie, warez ftp server, etc.
Their argument is that this would not >significantly reduce our >security
Not true, just like a military base its important to know what is going out as well as what is coming in.
and it will reduce their time/effort in administration.
Possibly true, although the amount of time it takes to open a set of ports can't be very long.
They claim they get several requests a week to open up out bound ports >and the number keeps growing each month.
How can this be true, this would make me highly suspicious, I would want a record of all the ports they've opened over the last three months and what programs/services they opened them for. I mean unless you guys are going through some kind of major upgrade cycle their should be little or no change in your port list on a monthly basis.
They want to go for the gusto and >open up all 65,000+ outbound ports.I am in the security area and they want my agreement/sign off before >they do this. It just does not feel/smell right but I am losing >ground with my arguments. What are some good arguments I can use?
Not only would I not sign off on this, I'd launch an investigation into their procedures, something definitely doesn't feel right here. I would suspect that they are allowing traffic that they shouldn't be just because someone asked for it. Kazaa for example.
Chris Berry compjma () hotmail com Systems Administrator JM Associates"And here in our server room you can see our Beowolf Cluster of C64's that keeps our enterprise on the very cutting edge of technology."
_________________________________________________________________The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail
Current thread:
- Re: Open All Outbound Ports?, (continued)
- Re: Open All Outbound Ports? Sumit Dhar (Nov 13)
- Re: Open All Outbound Ports? Jens Rantil (Nov 09)
- Re: Open All Outbound Ports? Vince Hillier (Nov 11)
- RE: Open All Outbound Ports? Clint Harris (Nov 12)
- AW: Open All Outbound Ports? Robert Sieber (Nov 13)
- RE: Open All Outbound Ports? Garbrecht, Frederick (Nov 11)
- RE: Open All Outbound Ports? Naveed Ahmed (Nov 12)
- Re: Open All Outbound Ports? m2dzus (Nov 11)
- Re: Open All Outbound Ports? James Butcher (Nov 12)
- Re: Open All Outbound Ports? mitch_latham (Nov 11)
- Re: Open All Outbound Ports? Chris Berry (Nov 12)
- RE: Open All Outbound Ports? Chris Alliey (Nov 15)
- RE: Open All Outbound Ports? Mark Merchant (Nov 18)
- RE: Open All Outbound Ports? G. Class (Nov 21)
- Message not available
- RE: Open All Outbound Ports? Mark Merchant (Nov 22)
- RE: Open All Outbound Ports? Chris Alliey (Nov 15)