Educause Security Discussion mailing list archives

Re: Firewall Upgrade

From: Nathaniel Hall <educause-lists () NATHANIELHALL COM>
Date: Fri, 14 Feb 2014 14:00:53 -0600

The way I used to handle this situation was to block all outbound email
at the firewall unless it was destined to the anti-spam system that sat
in the DMZ. Then, in that system, I blocked all relaying of email unless
there was an authenticated connection via SSS/TLS or if the system was
in an IP based allow list (for printer/copier/faxes or other similar
devices). This setup caused a little bit of pain until our User Support
group understood which cases needed which configuration.

With relaying the mail for those devices through the anti-spam system,
the messages still got scanned for spam and viruses.

--
Nathaniel Hall

On 2/14/2014 1:50 PM, randy wrote:

I know this is a silly question but from what I'm reading on this
thread, we're talking about putting an SMTP block on ALL outbound email?
I hope that's not the case because that doesn't make any sense. How do
you distinguish between legit and bad outbound traffic?

 IMHO, the only value a FW has these days is to block unsolicited
inbound connections. Using a combo of devices like PA, FireEye(my
favorite), Stonesoft, Snort, etc in combo with subscribing to some sort
of threat intelligence services (Fireeye, secureworks, etc.) to monitor
outbound traffic is more effective.

SMTP servers are embedded in all sorts of devices ranging from printers,
copiers and scanners. Effective patch mgt solutions like BigFix etc are
proving to be more effective in halting malware infections that manage
to make it past the IDS/IPS sensors. Yes, the malware got loaded on the
target but it needs to exploit a hole in a software component and if
that hole was patched effectively, the net result is the machine wasn't
compromised. Blocking the outbound communication to a controller is key.
It's hard but the technology is getting better.

Network Security Monitoring aka Continuous Monitoring of outbound
traffic seems to be the more effective solution.

-Randy Marchany
VA Tech IT Security Office and Lab.

Current thread:

Re: Firewall Upgrade, (continued)
- Re: Firewall Upgrade Chris Davis (Feb 14)
- Re: Firewall Upgrade Ben Parker (Feb 14)
  - Re: Firewall Upgrade Mike Osterman (Feb 14)
    - Re: Firewall Upgrade Ian McDonald (Feb 14)
    - Re: Firewall Upgrade Mike Osterman (Feb 14)
    - Re: Firewall Upgrade Roger A Safian (Feb 14)
    - Re: Firewall Upgrade Pete Hickey (Feb 14)
    - Re: Firewall Upgrade Mike Osterman (Feb 14)
    - Re: Firewall Upgrade Derek Diget (Feb 14)
    - Re: Firewall Upgrade randy (Feb 14)
    - Re: Firewall Upgrade Nathaniel Hall (Feb 14)
    - Re: Firewall Upgrade Mike Osterman (Feb 14)
    - Re: Firewall Upgrade Ben Parker (Feb 14)
    - Re: Firewall Upgrade Mike Osterman (Feb 14)
    - Re: Firewall Upgrade Mark Rogowski (Feb 14)