Re: [fw-wiz] outbound traffic security risk

From: Devdas Bhagat (devdas_at_dvb.homelinux.org)
Date: 03/23/04

  • Next message: Wes Noonan: "RE: [fw-wiz] (no subject)" 
    To: firewall-wizards@honor.icsalabs.com
Date: Tue, 23 Mar 2004 20:15:26 +0530

    On 23/03/04 09:04 -0500, Mitchell Rowton wrote:
    > Allowing all outbound traffic also increases the likelihood of backdoors
    > into your network.
    >
    > http://www.securitydocs.com/links/detail/803
    >
    > Plus, most of the scans constantly hitting everyones network originates
    > from a network that doesn't filter outbound traffic. Of course it would
    > be hard for an ISP to restrict outbound port 80 traffic, but msrpc and
    > sql are examples that could be blocked unless needed for specific hosts.
    Ahem! ISPs are /not/ corporate providers. They should NOT be blocking
    stuff (currently, NetBIOS and a bunch of MS ports exempted, and port 25
    outbound, but thats a different beast.). I want my ISP to only give me a
    pure network connection and let me run my own services.
    Take reactive action against clients who spam, or abuse the Internet,
    but the whole role of an ISP is to provide access.

    A corporate network, on the other hand, is a different kettle of fish.

    ISPs MUST filter out traffic which should not originate from their
    network, or their downstreams or peers.

    > In general, I think that people who don't attempt egress filtering are
    > bad internet citizens who contribute to my bloated IDS logs.
    Agreed.

    Devdas Bhagat
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Wes Noonan: "RE: [fw-wiz] (no subject)"

    Relevant Pages

    • Re: Unable to telnet into port 25
      ... If they cannot connect to your exchange server from their office (presumably on the same network as your router) then the problem is either with the ISP end or your end of that line between those two points. ... Test the computer first from within your network and make sure that it can connect via port 25 in a telnet session. ...
      (microsoft.public.exchange.setup)
    • RE: multiple uplinks from ISP
      ... Getting VMware network to network can be hard. ... I think he knows a lot about multipath routing with or without quagga. ... Subject: multiple uplinks from ISP ...
      (freebsd-net)
    • Re: stream live content online
      ... that port 8080 is commonly used by other services and that a different port ... set up on my home network.. ... the current setup for my isp is much like having a single network for each ... case, if i remove the router and directly connect to the isp, i get the ...
      (microsoft.public.windowsmedia)
    • Re: multiple uplinks from ISP
      ... machines for building a test network, in other words I cannot do experiments ... Subject: multiple uplinks from ISP ... What you need is two machines with 3 interfaces each. ...
      (freebsd-net)
    • Rh 9 Modem Connection Problem
      ... I have a problem with connecting to my ISP with RH 9 and it is driving me ... Network tool, I keep getting the error messages "Can not activate network ... adapter, add modem adapter, did the whole lot again by deleting the modem ... Feb 29 07:06:02 localhost wvdial: Initializing modem. ...
      (linux.redhat.install)