Re: How secure is to open ports from inside the firewall?

[e.m.baechle () ieee org]

Iosif,

There are (at least) two schools of thought to actually blocking outbound traffic through the firewall.  Both of these 
say, log the traffic outbound and review it occasionally.  The important thing to understand is that most firewalls by 
default ALLOW all traffic outbound (all of your ports outbound are already open).

The first, “deny all” principle suggests you should deny all traffic outbound on ports that do not directly support 
your business processes.  Typically, outbound traffic is limited to HTTP, HTTPS, and SMTP.  Even better, is when you 
use a web proxy server and limit HTTP and HTTPS traffic only outbound from the proxy and SMTP only from the e-Mail 
server.  Add specific rules for specific services and systems (may require static IP address assignment; or use IPSEC 
for authenticating the system [without encryption] on DHCP networks).  Any traffic blocked and logged on your firewall 
either violates your electronic communications policy or is malicious.  You can then concentrate on hardening your SMTP 
and HTTP/S Proxy servers against hijacking.

The second, “let it go” concept is for limited budget groups that lack the expertise to setup proxy servers for their 
services; or have a lot of dynamic services and traveling personnel (that access SMTP from their laptops across your 
firewall, attach to various client-VPNs, etc).  In this case, try to make a profile of what is normal (baseline) and 
review anything that happens to be out of place.

Another consideration is to at least log “not normal” situations going out.  For example, if your office hours are from 
6:00am to 6:00pm, and the latest person usually stays until 8:00pm, then log any outbound traffic that happens after 
8:00pm.  Those hits where a machine is going out when there’s nobody in the office, even on HTTP/S could be a 
compromised system.

Sincerely,

Eric Baechle