RE: Open All Outbound Ports?

["Clint Harris" <clinton.harris () peace com>]

Crazy.
If you gonna allow every port out, I would only only allow every port
out with the introduction of a proxy server and some content filtering.
But never directly out from workstation to internet.

e.g. M$ ISA Proxy server with TrendMicro Interscan WebProtect.

This will at least attempt to help prevent any virus, malicious code,
non-work-related sites being accessed and some form of monitoring on
what is going on.

The proxy server should go in your DMZ so there is never any direct
traffic from your Untrusted side of your firewall to the trusted ... and
vice versa. The WebProtect could go on a seperate machine in the trusted
or DMZ (as it's next hop will be the proxy server), but since it's
running IIS, I put it in the DMZ.
All http/ftp traffic is then directed at the WebProtect installation,
Anything else, by means of a ISA firewall client installed on the WK
station, that is not in the LAT (Local address table), is sent to the
ISA server for processing wether it is allowed or not. E.g. deny telnet
but allow the HR staff to access some 3rd party recruiting application.

Apart from external hackers putting backdoors in etc, what about your
internal users. Where I am at we have about 300 developers who all seem
to think they know best and are always requesting stuff to be opened.
Upon investigation it is usually so they can access some dodgy thing
they have setup at home which would just compromise any "anti-virus" or
"security procedures" we have in place.

It is aparent that you are blocking everything (most) out at the moment.
See if you can get a look at the "denied" out logs. I look at mine all
the time and always find someone is up to something, or some M$ windoze
box has decided that it is going to broadcast to the world and tell
everyone who it is, or one of our dodgy developers has managed to get
root on a linux box and is trying to run their own mail server on it.
Looking at that will probably give you some good starts

e.g. Here is an exert from what I see on my deny out log .... all sorts
of junk. 

10.0.2.219:1391 0.0.0.0:0 208.230.130.238:5004 0 sec. UDP PORT 5004 
10.0.2.141:561 0.0.0.0:0 170.152.52.141:515 0 sec. TCP PORT 515 
10.0.1.16:32785 0.0.0.0:0 239.2.11.71:8649 0 sec. UDP PORT 8649 
10.0.3.193:2792 0.0.0.0:0 24.150.130.49:3949 0 sec. TCP PORT 3949 
10.0.3.193:2791 0.0.0.0:0 66.108.208.249:1214 0 sec. TCP PORT 1214 
10.0.2.219:1391 0.0.0.0:0 208.230.130.238:5004 0 sec. UDP PORT 5004 
10.0.1.150:32769 0.0.0.0:0 239.2.11.73:8649 0 sec. UDP PORT 8649 
10.0.2.141:561 0.0.0.0:0 170.152.52.141:515 0 sec. TCP PORT 515 
10.0.1.16:32785 0.0.0.0:0 239.2.11.71:8649 0 sec. UDP PORT 8649 

Now I have to go off and find why someone is trying to print to
"170.152.52.141" and what's going on with the rest.

Rather than battling it out I think that if you can come up with a
solution or better like what I've said, then you will get the best of
both worlds. The firewall guys don't have to keep reconfiguring the
firewall, the users get more functionality, you get more peace of mind,
security and monitoring functionality and your BW useage should be
reduced,

Just my blurb on it.

Cheers


-----Original Message-----
From: tony tony [mailto:tonytorri () yahoo com] 
Sent: Friday, November 08, 2002 2:34 PM
To: security-basics () securityfocus com
Subject: Open All Outbound Ports? 


Hi, 

Our firewall group has came to me several times over the last few months
wanting my approval to open all of the "OUTBOUND" ports on our firewall
facing the internet.  Their argument is that this would not
significantly reduce our security and it will reduce their time/effort
in administration.  They claim they get several requests a week to open
up out bound ports and the number keeps growing each month. They want to
go for the gusto.and open up all 65,000+ outbound ports.

I am in the security area and they want my agreement/sign off before
they do this.  It just does not "feel/smell right" but I am losing
ground with my arguments.  What are some good arguments I can use?  

Tony


__________________________________________________
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos http://launch.yahoo.com/u2