Re: Outbound SMTP

[Mike Porter <mike () UDEL EDU>]

On Fri, 25 Apr 2008, Basgen, Brian wrote:

> Joe,
>
> > officers. I mean dang it all, we build wonderful networks,
> > and then we proceed to block the heck out of 'em to the point
> > where application programmers can hardly use 'em! That just
> > makes no sense.
>
> Joe, you have a fair point, but you are making it a bit extreme. I
> would agree, in some contexts, when it comes to NAC, for example. Yet,
> the suggestion that blocking port 25 outbound is problematic for
> usability isn't very sustainable.
>
> > It is so tempting to say, when confronting any security risk, "block
> it."
>
> The role of the ISO is a lot more nuanced than this. This is a good
> example of the importance of an ISO in an institution, as opposed to a
> network security administrator, for example.
>
> > 1) Even if you block port 25 traffic, the host is still infested
>
> You are missing the forest for the trees. If you render the intent of
> an exploit useless, you've accomplished defense in-depth. We can't

The intend of the exploit is most likely multi-faceted.  It can be
used to send spam.  It can be used to scan machines local to a
subnet.  It can be used to guess passwords.  I'm convinced that
laptops are loaded with wireshark type programs and sniffing for
passwords.  Any time we can get one of these machines to reveal
itself, that's one less machine hiding where I can't easily see what
it's up to.

> maintain pristine networks. We *can* reduce risk and have sufficient
> depth such that a compromise will be mitigated by various layers.

Alternatively, you can monitor and when trip points are passed, you
can disable the machine and force it to get cleaned.  Blocking ports
is sometimes necessary, but we have not found that to the be the
case with port 25.  Microsoft ports (139 et al), are, however,
blocked.

Mike

> ~~~~~~~~~~~~~~~~~~
> Brian Basgen
> Information Security
> Pima Community College

-
Mike Porter
PGP Fingerprint: F4 AE E1 9F 67 F7 DA EA  2F D2 37 F3 99 ED D1 C2