RE: Open All Outbound Ports?

From: Bill Lavalette (billl@cyberbase7.com)
Date: 11/09/02


From: "Bill Lavalette" <billl@cyberbase7.com>
To: "tony tony" <tonytorri@yahoo.com>, <security-basics@securityfocus.com>
Date: Fri, 8 Nov 2002 23:37:14 -0600

Tony -

Here is what is say...

First define the business need of the port to be opened..
Second provide the name of the business application that needs this port
open
third provide the project plan for implementation of the application.
fourth tell me who the business owner is for the project.

If they come up with these four things on a per port basis then use your
judgment.

<insert Joke> Adjust Security policy which denies proposed plan </end joke>

Seriously if you do not have one start one or at least get some corporate
backing on security since you stated that the firewall group goes to you
that indicates to me your a decision maker. I would also re-evaluate your
security team if they are making unsound requests. you are right in thinking
opening all outbound ports is a bad idea. classic example is here..

director of marketing takes laptop home.

director gets hacked via Trojan downloaded from non corporate mail.

director brings laptop back to work.

using netcat hacker sets up opens backdoor via a allowed port... and tunnels
out through a high port to avoid detection.

your firewall team wont see this if the port is open...

Obviously there are many things that might catch the Trojan I.E. corp. AV
etc. but this is a classic order of events that could spell disaster for
you..

Hope this helps,

Bill Lavalette
Chief Security Officer
CyberBase7 Security Services METRO-SOC
Email:Operations@cyberbase7.com
http://www.cyberbase7.com

-----Original Message-----
From: tony tony [mailto:tonytorri@yahoo.com]
Sent: Thursday, November 07, 2002 7:34 PM
To: security-basics@securityfocus.com
Subject: Open All Outbound Ports?

Hi,

Our firewall group has came to me several times over the last few months
wanting my approval to open all of the OUTBOUND ports on our firewall
facing
the internet. Their argument is that this would not significantly reduce
our
security and it will reduce their time/effort in administration. They claim
they get several requests a week to open up out bound ports and the number
keeps growing each month. They want to go for the gustoand open up all
65,000+
outbound ports.

I am in the security area and they want my agreement/sign off before they do
this. It just does not feel/smell right but I am losing ground with my
arguments. What are some good arguments I can use?

Tony

__________________________________________________
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2



Relevant Pages

  • RE: redhat-list Digest, Vol 4, Issue 38
    ... Re: Iptables: port 22 open only for my IP ... Windows Services for Unix 3.5 ... It does absolutely nothing if you have a rampant application on your Windows box that opens a port to the outside world. ...
    (RedHat)
  • Re: Enabling telnet, ftp, pop3 for root...
    ... MASIVE security improvement over just having an open port sitting there. ... only OPENS THE PORT! ... While I could be wrong on that, it's the most likely scenerio with three possible levels of security: low, if you're only using a password, mediocre if you're using a key protected by a password, and relatively high if you're using a key that you are protecting with a complex passphrase and swapping out routinely. ... Point being, when there are already such networks on the Internet -- and not just in the United States -- with a wide range of ISPs, it's not at all outside the realm of possibility that somebody has a box that is listening to all the traffic on your node and analyzing it. ...
    (alt.os.linux)
  • Re: USB device detection via query registry information
    ... Similarly vendors need to be given a hard time if they fail to provide a driver compatible with a new Windows version for products released in the last 3 years or offered for sale in the last 12 months. ... it correctly enforces exclusivity to the port ... serenum and sermouse are out-of-the-box XP as far as I can ... serenum opens the port, detects the device, ...
    (microsoft.public.development.device.drivers)
  • Re: OT: Trend Micro WFBS beta starting soon
    ... Trend firewall, even set to High, has inbound NetBIOS ports open. ... default 3389 port, web browsing, email, etc. ... it opens inbound NetBIOS connections until the laptop is rebooted. ...
    (microsoft.public.windows.server.sbs)
  • Re: USB device detection via query registry information
    ... it correctly enforces exclusivity to the port ... WHQL is realistically not going to be able to catch all bugs before shipment, so maybe the answer is for WHQL signing to require a commitment from the driver developer to participate in the BSOD crash dump program and issue timely bug fixes. ... Yes these things would not come free, but is it important to Microsoft to shed the reputation for Windows being crash-prone? ... serenum opens the port, detects the device, ...
    (microsoft.public.development.device.drivers)