Security Basics mailing list archives

RE: Open All Outbound Ports?

From: "DeGennaro, Gregory" <Gregory_DeGennaro () csaa com>
Date: Tue, 12 Nov 2002 09:49:57 -0800

Bad idea ... if you do ... make sure to monitor your egress traffic.

Regards,

Greg DeGennaro Jr., CCNP
Network/Security Analyst, IT Operations



-----Original Message-----
From: Naveed Ahmed [mailto:naveed.ahmed () vinciti com]
Sent: Monday, November 11, 2002 1:41 PM
To: Garbrecht, Frederick; 'tony tony'; security-basics () securityfocus com
Subject: RE: Open All Outbound Ports? 


In addition, in case your network inadvertently becomes a zombie in a DDos,
there is no way you can prevent DoS traffice from leaaving your network.
Just wondering, if you do have a web server and if thats allowed to make
outbound connections, it could cause havoc once its compromised

Rgds
-Naveed

-----Original Message-----
From: Garbrecht, Frederick [mailto:FGarbrecht () ecogchair org]
Sent: Sunday, November 10, 2002 12:25 AM
To: 'tony tony'; security-basics () securityfocus com
Subject: RE: Open All Outbound Ports?


A couple of things come to mind.  Spyware programs installed by internal
users inadvertently can ramp up outgoing traffic considerably and waste your
bandwidth.  Opening up outgoing ports also makes it much easier for
peer-to-peer file sharing applications on your internal LAN to do their
dirty work; clearly a security risk well defined elsewhere.  Some trojans
may also enjoy the new-found ability to establish outbound communications
over whatever port they choose.

I really don't understand why your firewall group would want to do this, it
is such an obvious risk in many ways and violates the well established
security principle of 'least prividege'.  Sounds like your firewall guys are
either really lazy or need some remedial security training.

Fred

-----Original Message-----
From: tony tony [mailto:tonytorri () yahoo com]
Sent: Thursday, November 07, 2002 8:34 PM
To: security-basics () securityfocus com
Subject: Open All Outbound Ports?


Hi,

Our firewall group has came to me several times over the last few months
wanting my approval to open all of the "OUTBOUND" ports on our firewall
facing
the internet.  Their argument is that this would not significantly reduce
our
security and it will reduce their time/effort in administration.  They claim
they get several requests a week to open up out bound ports and the number
keeps growing each month. They want to go for the gusto...and open up all
65,000+
outbound ports.

I am in the security area and they want my agreement/sign off before they do
this.  It just does not "feel/smell right" but I am losing ground with my
arguments.  What are some good arguments I can use?

Tony


__________________________________________________
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2

Current thread:

RE: Open All Outbound Ports?, (continued)
- - RE: Open All Outbound Ports? Naveed Ahmed (Nov 12)
- Re: Open All Outbound Ports? m2dzus (Nov 11)
  - Re: Open All Outbound Ports? James Butcher (Nov 12)
- Re: Open All Outbound Ports? mitch_latham (Nov 11)
- Re: Open All Outbound Ports? Chris Berry (Nov 12)
  - RE: Open All Outbound Ports? Chris Alliey (Nov 15)
    - RE: Open All Outbound Ports? Mark Merchant (Nov 18)
    - RE: Open All Outbound Ports? G. Class (Nov 21)
    - Message not available
    - RE: Open All Outbound Ports? Mark Merchant (Nov 22)
- Re: Open All Outbound Ports? David Weinberg (Nov 12)
- RE: Open All Outbound Ports? DeGennaro, Gregory (Nov 13)
- Re: Open All Outbound Ports? James Lee Gromoll (Nov 16)
- RE: Open All Outbound Ports? Louis Erickson (Nov 16)
- RE: Open All Outbound Ports? Farrelly, Brian (Nov 17)