Security Basics mailing list archives
Re: Unrestricted Outbound Web Server Access Opinion
From: Jon Hart <warchild () spoofed org>
Date: Tue, 3 May 2005 20:12:39 -0400
On Tue, May 03, 2005 at 08:54:57AM -0400, Paul Guibord wrote:
Hello All, Someone within our company wants our Internet facing web servers to have unrestricted outbound access. Port 80 is the only port permitted from the outside coming in. I need the experts opinion why we do not want to permit this PLEASE. Two things I could think of are if the web servers were compromised, then the hacker would have the ability offload any data they want. Another being if they were infected with a worm they would bring down the Internet T1 in their attempt to find other devices to infect. Thanks in advance for everyone's input.
If I were in your position, I'd definitely ask why they want the web servers to have unrestricted outbound access. If they have a legit reason (which is unlikely, IMO), then there has got to be a better way of doing whatever it is they are doing. One reason you missed that having unrestricted outbound traffic in a situation like this is bad is that such a situation makes further compromise of your machine that much easier. Say they get in through a poorly written CGI or, worse yet, a hole in your web server software. One of the first things that is commonly done is to download some tools to, say, wipe the logs, gain root/superuser access via local exploit, and so on. Without unrestricted outbound access, this makes things considerably more difficult but not impossible. There are a few common reasons to allow your webserver to have unrestricted outbound access. DNS for local daemon name resolution, SMTP for any mail that may need to be sent, NTP for keeping accurate time, and so on. Two possible solutions, instead of giving the full outbound access. One, is to put the DNS, NTP and SMTP servers on a local network (say in the DMZ with the web server), and then point your webserver's daemons accordingly. Two, have a tight firewall ruleset that only allows DNS, SMTP and NTP traffic to very specific hosts. Otherwise, if the webserver has unrestricted outbound 53/tcp, 53/udp, 25/tcp and 123/TCP, they could just use any number of tools to further the compromise of your network by bringing down tools and such over those ports from servers that they control. Hope this helps, -jon
Current thread:
- Unrestricted Outbound Web Server Access Opinion Paul Guibord (May 03)
- Re: Unrestricted Outbound Web Server Access Opinion Jon Hart (May 04)
- RE: Unrestricted Outbound Web Server Access Opinion David Gillett (May 05)
- Re: Unrestricted Outbound Web Server Access Opinion David Glosser (May 05)
- RE: Unrestricted Outbound Web Server Access Opinion Hamish Stanaway (May 05)
- RE: Unrestricted Outbound Web Server Access Opinion Micro Kluge (May 05)
- Re: Unrestricted Outbound Web Server Access Opinion Diego Kellner (May 05)
- Re: Unrestricted Outbound Web Server Access Opinion Mark Leonard (May 05)
- RE: Unrestricted Outbound Web Server Access Opinion Keenan Smith (May 10)
- Re: Unrestricted Outbound Web Server Access Opinion Chris Keladis (May 11)
- <Possible follow-ups>
- RE: Unrestricted Outbound Web Server Access Opinion Andrew Shore (May 05)
- Re: Unrestricted Outbound Web Server Access Opinion Jon Hart (May 04)