Snort mailing list archives
Re: deny default outbound (was Reverse shell)
From: Bennett Todd <bet () rahul net>
Date: Mon, 25 Mar 2013 12:14:04 -0400
I've enjoyed some limited success by tying opened outbound protocols with hardened internal clients. Few apps seem to legitimately need to do their own DNS, a dnscache as part of the firewall plant seems to go over well. Not too many more need to do their own SMTP, a postfix or qmail seems to please. HTTP is a dumping ground for wickedness, but if you can pick a web browser that doesn't have a lethally bad security record, and allow only it to pass directly, and route all others through a proxy, the complaints will highlight apps that are abusing the protocol to bypass security. The folks I've met with legitimate need to ssh outbound seen to be more technically savvy, and a proxy-enabled ssh client plus tight logging seems to be an adequate compromise. For other problems, like multimedia chatting, I offer a client installed on a server in the DMZ, with ssh or vnc access from the inside.
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: deny default outbound (was Reverse shell) Bennett Todd (Mar 25)
- Re: deny default outbound (was Reverse shell) Castle, Shane (Mar 25)
- Re: deny default outbound (was Reverse shell) Bennett Todd (Mar 25)
- Re: deny default outbound (was Reverse shell) Castle, Shane (Mar 25)