Firewall Wizards mailing list archives
Re: outbound traffic security risk
From: Don Kendrick <don () hawaiidon com>
Date: Tue, 23 Mar 2004 09:11:16 -0500
I'm a firm believer in using outbound rules in all cases. It's just a good practice and part of defense in depth.
You mention users sending outbound traffic. Since TCP allows data to flow in both directions once the connection is established wouldn't a smart hacker just try to get any sort of program on your systems that would make the outbound request? Then they could use that connection as an inbound path past your firewalls. That's exactly how most trojans/backdoors work nowadays.
Going one step further, many of them use a port that is usually left open such as 80 or 443. If you're not using a proxy at the border to look inside those requests you still might have trouble. But that's another topic.
Now for servers. If you have a web server that hosts 80 and 443 inbound wouldn't you like to know if it started doing irc or tftp outbound? Without outbound rules, you won't know. Sure, you may still get hacked/defaced with an inbound attack. But you make it that much harder to "own" the box.
How about an internal server. Same deal, it shouldn't be making outbound requests that you don't know about.
Doing outbound rules require that you know your traffic. Sometimes this is painful for an organization. But the short term pain has long term benefits if a new virus/worm comes out that relies on a port being open (why does MS come to mind) to propagate and it does.
Further, it gives you at least a chance to be in the mix if those pesky developers develop something without getting security involved (does that ever happen?). Guess what, they have to come to you to get the ports open and you at least have some chance of a sanity check.
Don On Mar 23, 2004, at 3:50 AM, Hilal Hussein wrote:
Dear List,I would like to ask about the risk of opening outbound port traffics in the firewall.currently, i am opening the outbound ports traffic based on the user request, as pop3, and smtp traffics. I red about some risk that could be in some kind of outbound traffics which might pass java scripts, or trojan horses, or other kind of attacks during the opened session from users (inside the network) to the outbound.so please, i need to know of any risk that could come with some kind of outbound traffics, and if there is a good link for resources about the latest news of vulnerabilities of such outbound traffics.your respond is highly appreciated, with regards, Hilal _________________________________________________________________STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- outbound traffic security risk Hilal Hussein (Mar 23)
- Re: outbound traffic security risk Paul D. Robertson (Mar 23)
- Re: outbound traffic security risk Holger Kipp (Mar 23)
- Re: outbound traffic security risk Don Kendrick (Mar 23)
- Re: outbound traffic security risk Don Kendrick (Mar 24)
- <Possible follow-ups>
- Re: outbound traffic security risk Mitchell Rowton (Mar 23)
- Re: outbound traffic security risk Devdas Bhagat (Mar 23)
- Re: outbound traffic security risk Mitchell Rowton (Mar 24)
- Re: outbound traffic security risk Devdas Bhagat (Mar 24)