Educause Security Discussion mailing list archives

Re: Outbound SMTP

From: Stephen John Smoogen <smooge () UNM EDU>
Date: Fri, 25 Apr 2008 11:11:04 -0600

Michael Van Norman wrote:

Basgen, Brian wrote:

Joe,

officers. I mean dang it all, we build wonderful networks, and then
we proceed to block the heck out of 'em to the point where
application programmers can hardly use 'em! That just makes no sense.


 Joe, you have a fair point, but you are making it a bit extreme. I
would agree, in some contexts, when it comes to NAC, for example. Yet,
the suggestion that blocking port 25 outbound is problematic for
usability isn't very sustainable.


A researcher on your campus is developing an application that uses
e-mail and incorporates its own MTA.  A port 25 block breaks that.  That
to me is a problem with network usability, not an extreme position.


Then you have a process where the researcher requests for that port to
be open for that service. Other researchers have to make requests for
chemicals, biological agents, requests for review, etc. This is just an
additional process.

The number of researchers who are needing port openings are much less
than the number of student machines with spam-bots on them. And in some
states, locations, etc because they are personal property, the state can
not scan them etc.

1) Even if you block port 25 traffic, the host is still infested


 You are missing the forest for the trees. If you render the intent of
an exploit useless, you've accomplished defense in-depth. We can't
maintain pristine networks. We *can* reduce risk and have sufficient
depth such that a compromise will be mitigated by various layers.


This assumes that the malware loses all value to the miscreant if SMTP
is blocked.  The malware is still likely to be keylogging, uploading
browser caches, etc.  It may also simply use your existing mail relays.
 Those other aspects of the malware have value.  Blocking SMTP is not
going to change that (and this I would question the assertion of defense
in depth).


Defence in depth is never an all or nothing thing. Having a lock on the
door is not going to stop the guy who has a battering ram, but it will
stop the casual thief. You have to add more protections than a simple
port block, but relying on some other device only is also fool-hardy.

/Mike



--
Stephen Smoogen -- ITS/Linux Administrator
  MSC02 1520 1 University of New Mexico Albuquerque, NM  87131-0001
  Phone: (505) 277-8219  Email: smooge () unm edu
 How far that little candle throws his beams! So shines a good deed
 in a naughty world. = Shakespeare. "The Merchant of Venice"

Current thread:

Re: Outbound SMTP, (continued)
- Re: Outbound SMTP Jeff Kell (Apr 25)
- Re: Outbound SMTP Joe St Sauver (Apr 25)
- Re: Outbound SMTP Jenkins, Matthew (Apr 25)
- Re: Outbound SMTP Tim Cantin (Apr 25)
- Re: Outbound SMTP Jenkins, Matthew (Apr 25)
- Re: Outbound SMTP Joey Rego (Apr 25)
- Re: Outbound SMTP Jeff Kell (Apr 25)
- Re: Outbound SMTP Joe St Sauver (Apr 25)
- Re: Outbound SMTP Basgen, Brian (Apr 25)
- Re: Outbound SMTP Michael Van Norman (Apr 25)
- Re: Outbound SMTP Stephen John Smoogen (Apr 25)
- Re: Outbound SMTP Deke Kassabian (Apr 25)
- Re: Outbound SMTP David Lundy (Apr 25)
- Re: Outbound SMTP Jenkins, Matthew (Apr 25)
- Re: Outbound SMTP Roger Safian (Apr 25)
- Re: Outbound SMTP ken lindahl (Apr 25)
- Re: Outbound SMTP Don Nightingale (Apr 25)
- Re: Outbound SMTP Michael Van Norman (Apr 25)
- Re: Outbound SMTP Michael Sinatra (Apr 25)
- Re: Outbound SMTP Joel Rosenblatt (Apr 25)
- Re: Outbound SMTP Basgen, Brian (Apr 25)

(Thread continues...)