Re: [fw-wiz] outbound traffic security risk

From: Don Kendrick (strider_at_mailworks.org)
Date: 03/23/04

  • Next message: Crissup, John (MBNP is): "RE: [fw-wiz] (no subject)"
    To: firewall-wizards@honor.icsalabs.com
    Date: Tue, 23 Mar 2004 10:19:04 -0500
    
    

    Paul, sorry first one was from wrong account...

    I'm a firm believer in using outbound rules in all cases. It's just a
    good practice and part of defense in depth.

    You mention users sending outbound traffic. Since TCP allows data to
    flow in both directions once the connection is established wouldn't a
    smart hacker just try to get any sort of program on your systems that
    would make the outbound request? Then they could use that connection as
    an inbound path past your firewalls. That's exactly how most
    trojans/backdoors work nowadays.

    Going one step further, many of them use a port that is usually left
    open such as 80 or 443. If you're not using a proxy at the border to
    look inside those requests you still might have trouble. But that's
    another topic.

    Now for servers. If you have a web server that hosts 80 and 443 inbound
    wouldn't you like to know if it started doing irc or tftp outbound?
    Without outbound rules, you won't know. Sure, you may still get
    hacked/defaced with an inbound attack. But you make it that much harder
    to "own" the box.

    How about an internal server. Same deal, it shouldn't be making
    outbound requests that you don't know about.

    Doing outbound rules require that you know your traffic. Sometimes this
    is painful for an organization. But the short term pain has long term
    benefits if a new virus/worm comes out that relies on a port being open
    (why does MS come to mind) to propagate and it does.

    Further, it gives you at least a chance to be in the mix if those pesky
    developers develop something without getting security involved (does
    that ever happen?). Guess what, they have to come to you to get the
    ports open and you at least have some chance of a sanity check.

    Don

    On Mar 23, 2004, at 3:50 AM, Hilal Hussein wrote:

    > Dear List,
    >
    > I would like to ask about the risk of opening outbound port traffics
    > in the firewall.
    >
    > currently, i am opening the outbound ports traffic based on the user
    > request, as pop3, and smtp traffics. I red about some risk that could
    > be in some kind of outbound traffics which might pass java scripts, or
    > trojan horses, or other kind of attacks during the opened session from
    > users (inside the network) to the outbound.
    >
    > so please, i need to know of any risk that could come with some kind
    > of outbound traffics, and if there is a good link for resources about
    > the latest news of vulnerabilities of such outbound traffics.
    >
    > your respond is highly appreciated,
    >
    > with regards,
    >
    > Hilal
    >
    > _________________________________________________________________
    > STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
    > http://join.msn.com/?page=features/junkmail
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Crissup, John (MBNP is): "RE: [fw-wiz] (no subject)"

    Relevant Pages

    • Re: [fw-wiz] outbound traffic security risk
      ... I'm a firm believer in using outbound rules in all cases. ... > I would like to ask about the risk of opening outbound port traffics ... > of outbound traffics, and if there is a good link for resources about ...
      (Firewall-Wizards)
    • urlrewrite outbound rule
      ... request parameters. ... Is it possible to rewrite this outbound url, ... Anyway, it seems to provide outbound rules, which I guess is what I ...
      (comp.lang.java.programmer)