Re: [fw-wiz] outbound traffic security risk

• Previous message: Victor Williams: "RE: [fw-wiz] (no subject)"
• In reply to: Hilal Hussein: "[fw-wiz] outbound traffic security risk"
• Next in thread: Don Kendrick: "Re: [fw-wiz] outbound traffic security risk"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Hilal Hussein <hilalma@hotmail.com>
Date: Tue, 23 Mar 2004 15:13:48 +0100

On Tue, Mar 23, 2004 at 08:50:12AM +0000, Hilal Hussein wrote:
> Dear List,
>
> I would like to ask about the risk of opening outbound port traffics in the
> firewall.
>
> currently, i am opening the outbound ports traffic based on the user
> request, as pop3, and smtp traffics. I red about some risk that could be in
> some kind of outbound traffics which might pass java scripts, or trojan
> horses, or other kind of attacks during the opened session from users
> (inside the network) to the outbound.

allowing outbound traffic also allows answers to come back. easiest example
is http. you allow outbound traffic which requests several files. depending
on the OS of the client, this might be sufficient to get a trojan installed
on the client inside the protected network.

trojans can then use one of these open ports to connect to the outside world
to transmit any data or even allow external crackers to send commands to
the infected client.

risk can be mimimised, eg
- by restricting outgoing connections to specific servers
- by using a proxy and not allowing clients direct access
- redirecting all traffic (if applicable) through a virus scanner,
  eg ftp, http, email
- use virus scanners etc on all clients
- use clients that are
  - easy to maintain and upgrade
  - don't allow users to install their own software
  - are not easily compromised
- don't allow direct access
  - system in DMZ is accessing external sources, clients can
    access this system only for viewing (eg using vnc, X)
- applications that are put on the clients are first thoroughly
  tested.
- scan internal network (especially the gateway) for illegal requests. If you
  are using a proxy for http/https/ftp, only allow some ports (see squid for
  example) and check if other ports are also requested. This might be an
  indication of an internal system being compromised.

For specific tasks you might consider a specially hardened client system
within the dmz.

Depending on the security level you want this might be very expensive.
YMMV.

Regards,
Holger Kipp
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Victor Williams: "RE: [fw-wiz] (no subject)"
• In reply to: Hilal Hussein: "[fw-wiz] outbound traffic security risk"
• Next in thread: Don Kendrick: "Re: [fw-wiz] outbound traffic security risk"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [fw-wiz] outbound traffic security risk ... I would like to ask about the risk of opening outbound port traffics in the ... firewall. ... (Firewall-Wizards) Re: [fw-wiz] outbound traffic security risk ... > I would like to ask about the risk of opening outbound port traffics in the ... The more you allow, the less value you get from the firewall, until a ... (Firewall-Wizards) Re: Block port 25 ... by default ISA denies all outbound traffic, so if your clients have acces to ... port 25 outbound, then this is happening because of some rule that permits ... > network clients to send SMTP traffic outbound, ... > I have ISA Server 2000, and it publishes my Exchange Server. ... (microsoft.public.isaserver) IMAP sent email problem ... I need to save a copy of all outbound emails on an IMAP ... account to the remote server, so that I can access them ... All other clients that I've used ... all the email in sent-items folder now appear to be unread. ... (microsoft.public.outlook)