Re: [fw-wiz] outbound traffic security risk
From: Don Kendrick (strider_at_mailworks.org)
To: firstname.lastname@example.org Date: Tue, 23 Mar 2004 10:19:04 -0500
Paul, sorry first one was from wrong account...
I'm a firm believer in using outbound rules in all cases. It's just a
good practice and part of defense in depth.
You mention users sending outbound traffic. Since TCP allows data to
flow in both directions once the connection is established wouldn't a
smart hacker just try to get any sort of program on your systems that
would make the outbound request? Then they could use that connection as
an inbound path past your firewalls. That's exactly how most
trojans/backdoors work nowadays.
Going one step further, many of them use a port that is usually left
open such as 80 or 443. If you're not using a proxy at the border to
look inside those requests you still might have trouble. But that's
Now for servers. If you have a web server that hosts 80 and 443 inbound
wouldn't you like to know if it started doing irc or tftp outbound?
Without outbound rules, you won't know. Sure, you may still get
hacked/defaced with an inbound attack. But you make it that much harder
to "own" the box.
How about an internal server. Same deal, it shouldn't be making
outbound requests that you don't know about.
Doing outbound rules require that you know your traffic. Sometimes this
is painful for an organization. But the short term pain has long term
benefits if a new virus/worm comes out that relies on a port being open
(why does MS come to mind) to propagate and it does.
Further, it gives you at least a chance to be in the mix if those pesky
developers develop something without getting security involved (does
that ever happen?). Guess what, they have to come to you to get the
ports open and you at least have some chance of a sanity check.
On Mar 23, 2004, at 3:50 AM, Hilal Hussein wrote:
> Dear List,
> I would like to ask about the risk of opening outbound port traffics
> in the firewall.
> currently, i am opening the outbound ports traffic based on the user
> request, as pop3, and smtp traffics. I red about some risk that could
> be in some kind of outbound traffics which might pass java scripts, or
> trojan horses, or other kind of attacks during the opened session from
> users (inside the network) to the outbound.
> so please, i need to know of any risk that could come with some kind
> of outbound traffics, and if there is a good link for resources about
> the latest news of vulnerabilities of such outbound traffics.
> your respond is highly appreciated,
> with regards,
> STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
> firewall-wizards mailing list
firewall-wizards mailing list