Home page logo
/

basics logo Security Basics mailing list archives

Re: Open All Outbound Ports?
From: Vince Hillier <vdh () plutonium homeunix com>
Date: 09 Nov 2002 13:46:18 -0500

On Thu, 2002-11-07 at 20:33, tony tony wrote:
Hi, 

Our firewall group has came to me several times over the last few months
wanting my approval to open all of the “OUTBOUND” ports on our firewall facing
the internet.  Their argument is that this would not significantly reduce our
security and it will reduce their time/effort in administration.  

Bas idea...  Lazyness is overcoming them, and your security will be the
cost.  What hapens when somebody opens up that pretty icon in their
email, and they see a nice little animation, yet 31337 h4x0r (mmmhmm)
takes remote control?  Time to get a new firewall group ;)

They claim
they get several requests a week to open up out bound ports and the number
keeps growing each month. They want to go for the gusto…and open up all 65,000+
outbound ports.

Are they kidding? how many ports can the open? I know it's alot of work
/initially/, but honestly, ask yourself that qeuestion.  Once a firewall
is properly configured, the maintenance is and should be minimal.

I am in the security area and they want my agreement/sign off before they do
this.  It just does not “feel/smell right” but I am losing ground with my
arguments.  What are some good arguments I can use?  

You're right, it doesn't smell right, how do you know someone internal
has not planed something to take control remotely?

In the end, your job could be on the line...  if they can go above your
head and get the approval, let them.  But don't you approve it, unless
of course, you can explain why you authorized something that costed the
company "billions" of dollars.  It's always billions... even in 50
people operations... ;)


Tony


__________________________________________________
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]