mailing list archives
Re: How secure is to open ports from inside the firewall?
From: e.m.baechle () ieee org
Date: 15 Mar 2007 00:44:02 -0000
There are (at least) two schools of thought to actually blocking outbound traffic through the firewall. Both of these
say, log the traffic outbound and review it occasionally. The important thing to understand is that most firewalls by
default ALLOW all traffic outbound (all of your ports outbound are already open).
The first, deny all principle suggests you should deny all traffic outbound on ports that do not directly support
your business processes. Typically, outbound traffic is limited to HTTP, HTTPS, and SMTP. Even better, is when you
use a web proxy server and limit HTTP and HTTPS traffic only outbound from the proxy and SMTP only from the e-Mail
server. Add specific rules for specific services and systems (may require static IP address assignment; or use IPSEC
for authenticating the system [without encryption] on DHCP networks). Any traffic blocked and logged on your firewall
either violates your electronic communications policy or is malicious. You can then concentrate on hardening your SMTP
and HTTP/S Proxy servers against hijacking.
The second, let it go concept is for limited budget groups that lack the expertise to setup proxy servers for their
services; or have a lot of dynamic services and traveling personnel (that access SMTP from their laptops across your
firewall, attach to various client-VPNs, etc). In this case, try to make a profile of what is normal (baseline) and
review anything that happens to be out of place.
Another consideration is to at least log not normal situations going out. For example, if your office hours are from
6:00am to 6:00pm, and the latest person usually stays until 8:00pm, then log any outbound traffic that happens after
8:00pm. Those hits where a machine is going out when theres nobody in the office, even on HTTP/S could be a