Re: deny default outbound (was Reverse shell)

[Bennett Todd <bet () rahul net>]

I've enjoyed some limited success by tying opened outbound protocols with
hardened internal clients.

Few apps seem to legitimately need to do their own DNS, a dnscache as part
of the firewall plant seems to go over well.

Not too many more need to do their own SMTP, a postfix or qmail seems to
please.

HTTP is a dumping ground for wickedness, but if you can pick a web browser
that doesn't have a lethally bad security record, and allow only it to pass
directly, and route all others through a proxy, the complaints will
highlight apps that are abusing the protocol to bypass security.

The folks I've met with legitimate need to ssh outbound seen to be more
technically savvy, and a proxy-enabled ssh client plus tight logging seems
to be an adequate compromise.

For other problems, like multimedia chatting, I offer a client installed on
a server in the DMZ, with ssh or vnc access from the inside.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!