Firewall Wizards mailing list archives
Re: Benefit of firewall over NAT-only 'protected' network
From: Paul Robertson <proberts () patriot net>
Date: Wed, 28 May 2003 09:23:02 -0400 (EDT)
On Wed, 28 May 2003 ark () eltex net wrote:
If they really do not use it, you are completely right, any unused port should be blocked (if we use packet filtering firewalls. i run irc from the office but i use proxy ;-)
Outbound, it's difficult to block arbitrary ports, however- 6667 is one of the ones that I'd insist on blocking/logging because 99% of the time in a business environment, the client trying to get out is going to be mirc.dll embedded in a trojan (the current vogue is to use SMB share password guessing and IIS worms to compromise more internal clients, then 6667/tcp out to an IRC network for control.) Anytime we get more trojaned machines than legitimate machines using a service, we need to examine the service closely. I've encountered more and more trojaned machines lately in my investigation of incidents. This is not a good trend, and especially with worms, it's controlable by denying IRC outbound by default, and handling exceptions on a case-by-case basis (or making them SSH out to a shell server and use a command-line client.) I'd challenge the folks on this list to _at_least_log_ outbound port 6667 activity in their companies for a week, and then see who's really using IRC, and who's got trojaned desktops. If more than 2% of the clients are going out, it's likely you're botnetted. Waiting until someone calls to tell you that your network is participating in a DDoS is too late. In an ideal world, everyone would practice default deny both in and outbound- but I don't see that happening anytime soon, so at least let's address the risks of the day by default, and move on from there. Regards, Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Benefit of firewall over NAT-only 'protected' network, (continued)
- Re: Benefit of firewall over NAT-only 'protected' network Tina Bird (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network Frank Knobbe (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network Chuck Swiger (May 30)
- Re: Benefit of firewall over NAT-only 'protected' network Frank Knobbe (May 31)
- Re: Benefit of firewall over NAT-only 'protected' network Tina Bird (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network Hugh Blandford (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network Paul Robertson (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network Bill Royds (May 30)
- Re: Benefit of firewall over NAT-only 'protected' network Paul Robertson (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network ark (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network Paul Robertson (May 28)