Snort mailing list archives
Re: deny default outbound (was Reverse shell)
From: "Castle, Shane" <scastle () bouldercounty org>
Date: Mon, 25 Mar 2013 16:44:25 +0000
Yes, I've successfully blocked port 25/tcp and 53/(udp|tcp) outbound from any but established and known servers, and limited outbound HTTP for protected servers, but we've a long way to go yet. Funny how some workstation suddenly using DNS or SMTP directly to the outside is such a red flag...;) -- Shane Castle Data Security Mgr, Boulder County IT -----Original Message----- From: bent () latency net [mailto:bent () latency net] On Behalf Of Bennett Todd Sent: Monday, March 25, 2013 10:14 To: Castle, Shane Cc: Jamie Riden; snort-sigs () lists sourceforge net; Aisling Brennan Subject: Re: deny default outbound (was Reverse shell) I've enjoyed some limited success by tying opened outbound protocols with hardened internal clients. Few apps seem to legitimately need to do their own DNS, a dnscache as part of the firewall plant seems to go over well. Not too many more need to do their own SMTP, a postfix or qmail seems to please. HTTP is a dumping ground for wickedness, but if you can pick a web browser that doesn't have a lethally bad security record, and allow only it to pass directly, and route all others through a proxy, the complaints will highlight apps that are abusing the protocol to bypass security. The folks I've met with legitimate need to ssh outbound seen to be more technically savvy, and a proxy-enabled ssh client plus tight logging seems to be an adequate compromise. For other problems, like multimedia chatting, I offer a client installed on a server in the DMZ, with ssh or vnc access from the inside. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: deny default outbound (was Reverse shell) Bennett Todd (Mar 25)
- Re: deny default outbound (was Reverse shell) Castle, Shane (Mar 25)
- Re: deny default outbound (was Reverse shell) Bennett Todd (Mar 25)
- Re: deny default outbound (was Reverse shell) Castle, Shane (Mar 25)