Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network

From: Paul Robertson (proberts_at_patriot.net)
Date: 05/28/03

  • Next message: Vladimir Parkhaev: "[fw-wiz] pulling configs from pixes over ssh script" 
    To: ark@eltex.net
Date: Wed, 28 May 2003 09:23:02 -0400 (EDT)

    On Wed, 28 May 2003 ark@eltex.net wrote:

    > If they really do not use it, you are completely right, any unused
    > port should be blocked (if we use packet filtering firewalls. i run
    > irc from the office but i use proxy ;-)

    Outbound, it's difficult to block arbitrary ports, however- 6667 is one of
    the ones that I'd insist on blocking/logging because 99% of the time in a
    business environment, the client trying to get out is going to be mirc.dll
    embedded in a trojan (the current vogue is to use SMB share password
    guessing and IIS worms to compromise more internal clients, then 6667/tcp
    out to an IRC network for control.)

    Anytime we get more trojaned machines than legitimate machines using a
    service, we need to examine the service closely. I've encountered more
    and more trojaned machines lately in my investigation of incidents. This
    is not a good trend, and especially with worms, it's controlable by
    denying IRC outbound by default, and handling exceptions on a case-by-case
    basis (or making them SSH out to a shell server and use a command-line
    client.)

    I'd challenge the folks on this list to _at_least_log_ outbound port 6667
    activity in their companies for a week, and then see who's really using
    IRC, and who's got trojaned desktops. If more than 2% of the clients are
    going out, it's likely you're botnetted.

    Waiting until someone calls to tell you that your network is participating
    in a DDoS is too late.

    In an ideal world, everyone would practice default deny both in and
    outbound- but I don't see that happening anytime soon, so at least let's
    address the risks of the day by default, and move on from there.

    Regards,

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    proberts@patriot.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Vladimir Parkhaev: "[fw-wiz] pulling configs from pixes over ssh script"

    Relevant Pages

    • Re: Blackberry
      ... Can you explain what you mean by "...I did define a client set..." ... created an outbound rule in ISA but I do not understand the above statement. ... I will look at the Watchguard logs and try again. ...
      (microsoft.public.backoffice.smallbiz2000)
    • Re: Outlook 2003 sending problem when SMTP authentication is required
      ... antivirus, antispam, firewall) software installed that can scan outbound ... I have a client which uses a hosted email service which requires SMTP ... The client (on two seperate computers) is ... this was due to a problem in Outlook and that other mail clients work ...
      (microsoft.public.outlook.installation)
    • Connecting from Work Network to home
      ... "The client could not establish a connection to the remote computer" and ... 3389 outbound is not blocked ... When I ping the home computer it doesn't respond. ... Any advice ...
      (microsoft.public.windowsxp.work_remotely)
    • Re: Exchange Outbound Emails not Sending
      ... Instead off messing with server to check outbound security... ... We have installed a new server for a client. ... We are unable to send outbound emails, they are queuing on the SMTP ...
      (microsoft.public.windows.server.sbs)