RE: [fw-wiz] Blocking MS Blaster --> filter outbound access

• Previous message: R. DuFresne: "Re: [fw-wiz] re: NAT for a simple network"
• In reply to: Dave Killion: "RE: [fw-wiz] Blocking MS Blaster"
• Next in thread: Martin Peikert: "Re: [fw-wiz] Blocking MS Blaster"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Fri, 15 Aug 2003 22:37:11 +0000

On Fri, 2003-08-15 at 20:17, Dave Killion wrote:
> You really only need 135 blocked inbound to prevent msblast, but all of
> those ports you've closed need to be closed for other reasons. Really,
> all ports inbound should be blocked, except for those specific services
> you serve (and those ports monitored and servers kept patched).

I can't agree more :)

> You have 2 ports for msblast backwards, however - both 69 and 4444 are not
> inet-lan, but lan-inet. Once infected, the worm uses those ports to go
> *out*. If you get hits on those rules, something very bad has happened.

I think this is a great opportunity to emphasize (again) that the
"block-all-allow-required" ruleset/mindset should also be applied to
outbound connections on your firewalls. Or perhaps allow outbound access
only for authenticated users. That way worms, viruses and hackers
spawning reverse shells don't get out to the Net, causing security risks
and liabilities for your company.

(Perhaps I'm just getting too tired of unrestricted outbound access
during pentests... :)

Cheers,
Frank

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• application/pgp-signature attachment: This is a digitally signed message part

• Previous message: R. DuFresne: "Re: [fw-wiz] re: NAT for a simple network"
• In reply to: Dave Killion: "RE: [fw-wiz] Blocking MS Blaster"
• Next in thread: Martin Peikert: "Re: [fw-wiz] Blocking MS Blaster"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Zone Labs Pro question ... Taking a moment's reflection, David mused: ... | blocked inbound by the normal security level settings. ... anything is communicating on those ports. ... (comp.security.firewalls) RE: [fw-wiz] Blocking MS Blaster ... I'd say that's overkill, ... You really only need 135 blocked inbound to prevent msblast, ... those ports you've closed need to be closed for other reasons. ... I would like to know how did you have try to block the MS Blaster worm? ... (Firewall-Wizards) Re: blocking some common TCP/UDP ports ... outbound access and then add the allowed exceptions. ... "Yahoo messenger ports" or try to track them down yourself by using something like ... > I have an NT Server running firewall on my network to allow shared LAN ... > I want to allow HTTP only from most IP addresses and block MSN Messenger, ... (microsoft.public.win2000.security) RE: Identifying ports in use ... blocking is to all UDP ports (unless you have an explicit reason to not do ... so) and both inbound and outbound access for Windows (assuming you're on ... Windows) services which listen for connections. ... (microsoft.public.windowsxp.security_admin) Re: Firewall & Port Questions ... >Messenger, Yahoo Messenger, ICQ, AOL, etc? ... You need to allow outbound access on ports 80/tcp and 443/tcp for web ... (comp.security.firewalls)