RE: Outbound Firewall Rules for a Web Server

From: Jared Valentine (hidden@xmission.com)
Date: 05/16/02


Date: Thu, 16 May 2002 14:32:05 -0600 (MDT)
From: Jared Valentine <hidden@xmission.com>
To: Robert Buel <rbuel@solubility.com>

3Com has an Embedded Firewall on a PCI card that can be used to secure individual machines (including webservers). The PCI card can restrict inbound/outbound traffic such that the machine in question could be a webserver, but is unable to initiate connections back out into the network.

http://www.3com.com/security/efw_info.html

It's a good product for hardening a server (making sure it only uses approved ports, protocols, directions, etc.) as well as desktop PCs.

Jared Valentine
Network Security Consultant
3Com Corporation
jared_valentine@3com.com

On Wed, 15 May 2002, Robert Buel wrote:

> Is the Web server located on your internal private network (LAN)? I
> believe that it is a very bad idea to locate a web server on your
> internal LAN. If the box is rooted, then they have full access to your
> data and internal operations. If it is in a DMZ, then that is fine...
> Definitely secure outbound ports. Stephen was right on...
>
> Bob
>
> -----Original Message-----
> From: Stephen Kemler [mailto:stk5@po.cwru.edu]
> Sent: Tuesday, May 14, 2002 1:55 PM
> To: Craig Brauckmiller; security-basics@securityfocus.com
> Subject: Re: Outbound Firewall Rules for a Web Server
>
> > I have our IIS 5 server sitting on a private network with
> > an IP of 10.2.32.20. It is being NAT'd via CheckPoint NG.
> > I only allow HTTP traffic in to the web server but I allow
> > the server unrestricted access out from the network.
> >
> > 1. Is this a good idea?
> >
> > 2. Should I lock down the web server's outbound ports to
> > prevent Nimda/CodeRed type infections from propigating from
> > my server?
>
> You should definately lock down your outbound traffic for all systems,
> especially systems that accessible from outside the network. Consider a
> very simple example: An attacker compromises your IIS server, installs
> an
> SSH client, and then uses your compromised host to launch further
> attacks.
> The idea here is to minimize damage. If you system is compromised, you
> have
> problems to deal with. If your system is compromised, and used to
> launch a
> further attack, you could have law enforcement agents to deal with.
>
> > 3. What ports should I allow the server to go out on if any?
>
> What do you use your Webserver for? If it is used strictly for serving
> HTTP, then you should not have to allow much. Although you could
> probably
> get away with allowing no outbound traffic, you will probably want to be
> able to resolve names in your logs, so probably DNS. Have any pages
> that
> generate emails? Then you will need to open SMTP. Also keep in mind
> that
> you can restrict where the outbound traffic goes -- so even if you
> decide to
> open up DNS, you could specify only to your DNS server.
>
> If you really want to determine what you have to open, close everything,
> and
> see what stops working, or who complains. Otherwise, set up a snifffer
> for
> a couple of days to determine that same information with less
> disruption.
>
> Hope this helps,
> Steve
>
>



Relevant Pages

  • Re: Whats a decent modem/router for tech savy user?
    ... It is not possible to route or deny traffic to specific ports based on the source IP address. ... But it wont route back inside the LAN - needs internal DNS server spoofing. ... Normally, this option should be Enabled, so that an Internet connection will be made automatically, whenever Internet-bound traffic is detected. ... Specifying a Default DMZ Server allows you to set up a computer or server that is available to anyone on the Internet for services that you haven't defined. ...
    (uk.telecom.broadband)
  • Re: Cannot connect to RWW from home PC
    ... That would be the address you need a DNS record for. ... You say "And in the router you need to forward to your external nic IP" ... Still can't telnet to any of your ports at your public ip address. ... Heres' the info for our server: ...
    (microsoft.public.windows.server.sbs)
  • Re: Netopia 3347NWG with Remote Desktop and Remote Web Workplace
    ... Glad you're back in business Greg! ... Ports Closed ... Despite this, Remote Web Workplace DOES WORK now, and Connect to Server ... Exchange BPA updates), ...
    (microsoft.public.windows.server.sbs)
  • Solution -> Re: SSH tunnel question.
    ... change IPS and ports around but that is not a big deal. ... telnet/ftp/rsh open on a server including on the Internet facing ports! ... I will go from the corp desktop to a hop ... through the firewall to the hop ...
    (SSH)
  • Re: Exch2003 front-end questions
    ... all the supported protocol ports must be open on the inner ... communication between the front-end server and the back-end servers. ... lists the ports required for the intranet firewall. ...
    (microsoft.public.isa)