Re: Spyware

[Liran Cohen <theog () tehila gov il>]

HI Matt,

I would recommend blocking all unnecessary traffic in either case, the 
benefits are a) users will not be able to use applications you do not 
approve of, b) you can look at the firewall logs for irregular traffic 
thus identifying some of the malicious traffic. mind you though, many 
malwares use standard ports to communicate with each other or with their 
"home" :)

There are some content inspection utilities which may filter the ports 
you allow so that no one can transfer unwanted data.

Here's a nice project I really like (many more are at freshmeat.net and 
similar sites):
http://httpf.sourceforge.net/

Liran Cohen
Security and Communication consultant
Israeli Government
+972-2-5317361
theog () tehila gov il


Matt Stern wrote:
> Hello all:
>
> I was just wondering if spyware sends its answers "back home" on any 
> particular TCP or UDP port.  If so, then couldn't I doubly safeguard the 
> LAN (after trying to keep all the spyware off the workstations) by 
> disallowing outbound communications via the firewall, for those ports? 
> Or conversely, instead of allowing all outbound traffic, only allow the 
> usual ports, such as 80, 443, 23, etc?
>
> Thanks.