Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Basics: Re: Unrestricted Outbound Web Server Access Opinion

Re: Unrestricted Outbound Web Server Access Opinion

From: David Glosser <david_glosser_at_yahoo.com>
Date: Wed, 04 May 2005 21:02:29 -0400

Jon said it very well, so I can only add a few minor thoughts...

* Can you show firewall logs proving that the only outbound port in use for
the last xxx days/weeks is http
 (and maybe https,which is what I believe RedHat uses)?

* Explain the ramifications of having unrestricted port 25 (smtp) outbound
open if someone compromises the box...

* I'm not by a web browser, but a search on "web server, best practices,
outbound ruleset", and so on may find a white paper with pretty pictures
which will impress the suits...

HTH, and please share/summarize anything interesting with the list.

-DG
----- Original Message -----
From: "Jon Hart" <warchild_at_spoofed.org>
To: "Paul Guibord" <pguibord_at_tngtech.net>
Cc: <security-basics_at_securityfocus.com>
Sent: Tuesday, May 03, 2005 8:12 PM
Subject: Re: Unrestricted Outbound Web Server Access Opinion

> On Tue, May 03, 2005 at 08:54:57AM -0400, Paul Guibord wrote:
>>
>> Hello All,
>>
>> Someone within our company wants our Internet facing web servers to have
>> unrestricted outbound access. Port 80 is the only port permitted from
>> the outside coming in. I need the experts opinion why we do not want to
>> permit this PLEASE. Two things I could think of are if the web servers
>> were compromised, then the hacker would have the ability offload any
>> data they want. Another being if they were infected with a worm they
>> would bring down the Internet T1 in their attempt to find other devices
>> to infect.
>>
>> Thanks in advance for everyone's input.
>
> If I were in your position, I'd definitely ask why they want the web
> servers to have unrestricted outbound access. If they have a legit
> reason (which is unlikely, IMO), then there has got to be a better way
> of doing whatever it is they are doing.
>
> One reason you missed that having unrestricted outbound traffic in
> a situation like this is bad is that such a situation makes further
> compromise of your machine that much easier. Say they get in through
> a poorly written CGI or, worse yet, a hole in your web server software.
> One of the first things that is commonly done is to download some tools
> to, say, wipe the logs, gain root/superuser access via local exploit,
> and so on. Without unrestricted outbound access, this makes things
> considerably more difficult but not impossible.
>
> There are a few common reasons to allow your webserver to have
> unrestricted outbound access. DNS for local daemon name resolution,
> SMTP for any mail that may need to be sent, NTP for keeping accurate
> time, and so on. Two possible solutions, instead of giving the full
> outbound access. One, is to put the DNS, NTP and SMTP servers on
> a local network (say in the DMZ with the web server), and then point
> your webserver's daemons accordingly. Two, have a tight firewall ruleset
> that only allows DNS, SMTP and NTP traffic to very specific hosts.
> Otherwise, if the webserver has unrestricted outbound 53/tcp, 53/udp,
> 25/tcp and 123/TCP, they could just use any number of tools to further
> the compromise of your network by bringing down tools and such over
> those ports from servers that they control.
>
> Hope this helps,
>
> -jon
Received on May 05 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos