Re: Firewall Upgrade

[randy <marchany () VT EDU>]

I know this is a silly question but from what I'm reading on this thread,
we're talking about putting an SMTP block on ALL outbound email? I hope
that's not the case because that doesn't make any sense. How do you
distinguish between legit and bad outbound traffic?

 IMHO, the only value a FW has these days is to block unsolicited inbound
connections. Using a combo of devices like PA, FireEye(my favorite),
Stonesoft, Snort, etc in combo with subscribing to some sort of threat
intelligence services (Fireeye, secureworks, etc.) to monitor outbound
traffic is more effective.

SMTP servers are embedded in all sorts of devices ranging from printers,
copiers and scanners. Effective patch mgt solutions like BigFix etc are
proving to be more effective in halting malware infections that manage to
make it past the IDS/IPS sensors. Yes, the malware got loaded on the target
but it needs to exploit a hole in a software component and if that hole was
patched effectively, the net result is the machine wasn't compromised.
Blocking the outbound communication to a controller is key. It's hard but
the technology is getting better.

Network Security Monitoring aka Continuous Monitoring of outbound traffic
seems to be the more effective solution.

-Randy Marchany
VA Tech IT Security Office and Lab.