Re: [fw-wiz] outbound traffic security risk

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 03/23/04

  • Next message: Robert L. Wanamaker: "RE: [fw-wiz] (no subject)"
    To: Hilal Hussein <hilalma@hotmail.com>
    Date: Tue, 23 Mar 2004 09:03:49 -0500 (EST)
    
    

    On Tue, 23 Mar 2004, Hilal Hussein wrote:

    > Dear List,
    >
    > I would like to ask about the risk of opening outbound port traffics in the
    > firewall.

    Traffic should be allowed or disallowed by policy, not by whim. What
    ports and protocols are necessary for the business to run efficiently?
    What's the associated risk with each protocol, common applications, and
    users for each of those? Which ones will the business accept the risk
    for? Looking at it any other way is backwards and bad.

    > currently, i am opening the outbound ports traffic based on the user
    > request, as pop3, and smtp traffics. I red about some risk that could be in
    > some kind of outbound traffics which might pass java scripts, or trojan
    > horses, or other kind of attacks during the opened session from users
    > (inside the network) to the outbound.

    Allowing external mail is pretty risky, especially if you don't have
    control over browser versions, controls, etc.

    Also, most trojaned machines "phone home" outwards, instead of taking
    connections inbound these days. Blocking outbound traffic means that
    those systems can't be controlled.

    > so please, i need to know of any risk that could come with some kind of
    > outbound traffics, and if there is a good link for resources about the
    > latest news of vulnerabilities of such outbound traffics.

    Risk comes from connectivity. The more connectivity, the more risk.
    Firewalls reduce risk by controlling and limiting connectivity. The more
    you limit, the less risk you accept.

    The more you allow, the less value you get from the firewall, until a
    point where you get none.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Robert L. Wanamaker: "RE: [fw-wiz] (no subject)"

    Relevant Pages

    • [fw-wiz] outbound traffic security risk
      ... I would like to ask about the risk of opening outbound port traffics in the ... firewall. ...
      (Firewall-Wizards)
    • Re: [fw-wiz] Benefit of firewall over NAT-only protected network
      ... > setup to allow all outbound traffic and let the 'responses' back in. ... You shouldn't choose "basically no security policy, now what firewall ... probertson@trusecure.com Director of Risk Assessment TruSecure Corporation ...
      (Firewall-Wizards)
    • Re: [fw-wiz] outbound traffic security risk
      ... > I would like to ask about the risk of opening outbound port traffics in the ... by using a proxy and not allowing clients direct access ...
      (Firewall-Wizards)
    • Re: Techysheddi to the Bridge Please
      ... For outbound you could allow everything. ... The risk of allowing all outbound is if a trojan gets onto the chamine it can contact anything anywhere that it wants to ... The risk of being selective is that something sometime is bound to want to use other ports which will either not jbex causing mother to phone you, or pop up "worrying" dialog boxes asking for permission, causing mother to phone you. ...
      (uk.rec.sheds)