Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network
From: Paul Robertson (proberts_at_patriot.net)
Date: 05/28/03
- Previous message: ark_at_eltex.net: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- In reply to: ark_at_eltex.net: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- Next in thread: Chuck Swiger: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: ark@eltex.net Date: Wed, 28 May 2003 09:23:02 -0400 (EDT)
On Wed, 28 May 2003 ark@eltex.net wrote:
> If they really do not use it, you are completely right, any unused
> port should be blocked (if we use packet filtering firewalls. i run
> irc from the office but i use proxy ;-)
Outbound, it's difficult to block arbitrary ports, however- 6667 is one of
the ones that I'd insist on blocking/logging because 99% of the time in a
business environment, the client trying to get out is going to be mirc.dll
embedded in a trojan (the current vogue is to use SMB share password
guessing and IIS worms to compromise more internal clients, then 6667/tcp
out to an IRC network for control.)
Anytime we get more trojaned machines than legitimate machines using a
service, we need to examine the service closely. I've encountered more
and more trojaned machines lately in my investigation of incidents. This
is not a good trend, and especially with worms, it's controlable by
denying IRC outbound by default, and handling exceptions on a case-by-case
basis (or making them SSH out to a shell server and use a command-line
client.)
I'd challenge the folks on this list to _at_least_log_ outbound port 6667
activity in their companies for a week, and then see who's really using
IRC, and who's got trojaned desktops. If more than 2% of the clients are
going out, it's likely you're botnetted.
Waiting until someone calls to tell you that your network is participating
in a DDoS is too late.
In an ideal world, everyone would practice default deny both in and
outbound- but I don't see that happening anytime soon, so at least let's
address the risks of the day by default, and move on from there.
Regards,
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: ark_at_eltex.net: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- In reply to: ark_at_eltex.net: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- Next in thread: Chuck Swiger: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
