Re: outbound traffic security risk

[Don Kendrick <don () hawaiidon com>]

I'm a firm believer in using outbound rules in all cases. It's just a 
good practice and part of defense in depth.

You mention users sending outbound traffic. Since TCP allows data to 
flow in both directions once the connection is established wouldn't a 
smart hacker just try to  get any sort of program on your systems that 
would make the outbound request? Then they could use that connection as 
an inbound path past your firewalls. That's exactly how most 
trojans/backdoors work nowadays.

Going one step further, many of them use a port that is usually left 
open such as 80 or 443. If you're not using a proxy at the border to 
look inside those requests you still might have trouble. But that's 
another topic.

Now for servers. If you have a web server that hosts 80 and 443 inbound 
wouldn't you like to know if it started doing irc or tftp outbound? 
Without outbound rules, you won't know.  Sure, you may still get 
hacked/defaced with an inbound attack. But you make it that much harder 
to "own" the box.

How about an internal server. Same deal, it shouldn't be making 
outbound requests that you don't know about.

Doing outbound rules require that you know your traffic. Sometimes this 
is painful for an organization. But the short term pain has long term 
benefits if a new virus/worm comes out that relies on a port being open 
(why does MS come to mind) to propagate and it does.

Further, it gives you at least a chance to be in the mix if those pesky 
developers develop something without getting security involved (does 
that ever happen?).   Guess what, they have to come to you to get the 
ports open and you at least have some chance of a sanity check.



Don


On Mar 23, 2004, at 3:50 AM, Hilal Hussein wrote:

> Dear List,
>
> I would like to ask about the risk of opening outbound port traffics 
> in the firewall.
>
> currently, i am opening the outbound ports traffic based on the user 
> request, as pop3, and smtp traffics. I red about some risk that could 
> be in some kind of outbound traffics which might pass java scripts, or 
> trojan horses, or other kind of attacks during the opened session from 
> users (inside the network) to the outbound.
>
> so please, i need to know of any risk that could come with some kind 
> of outbound traffics, and if there is a good link for resources about 
> the latest news of vulnerabilities of such outbound traffics.
>
> your respond is highly appreciated,
>
> with regards,
>
> Hilal
>
> _________________________________________________________________
> STOP MORE SPAM with the new MSN 8 and get 2 months FREE* 
> http://join.msn.com/?page=features/junkmail
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards