RE: Open All Outbound Ports?

From: Farrelly, Brian (Brian.Farrelly@ca.com)
Date: 11/15/02

  • Next message: Louis Erickson: "RE: Company Firewall's IP Address"
    Date: Fri, 15 Nov 2002 13:03:12 -0500
    From: "Farrelly, Brian" <Brian.Farrelly@ca.com>
    To: "Chris Alliey" <calliey@bellatlantic.net>, "Chris Berry" <compjma@hotmail.com>, <security-basics@securityfocus.com>
    
    

    Read

    http://slacksite.com/other/ftp.html

    A pretty good explanation of Active vs Passive FTP.

    Brian

    -----Original Message-----
    From: Chris Alliey [mailto:calliey@bellatlantic.net]
    Sent: Wednesday, November 13, 2002 8:44 PM
    To: Chris Berry; security-basics@securityfocus.com
    Subject: RE: Open All Outbound Ports?

    I know I don't have all the expertise that a lot of the people on this list
    probably have - so PLEASE take it easy on me for responding to this.

    I too have had a 'network engineering' team make this suggestion, and get it
    passed (over my objections). Even though I brought up a lot of the reasons
    already mentioned (security, DDOS zombies, Kazaa, limewire, ....),
    executives allowed them to open the ports out -- because they are the
    'network security experts' in our company. I never agreed with it, but one
    of their reasons to open this was passive FTP. Their reason was a lot of
    the sites that were visited used Passive FTP, that randomly uses any port
    above port 1024.

    Can anyone comment on this? This never sat well with me, and I really
    didn't like it when vendors who brought laptops into our environment -
    discovered this, after only 1 week on site :-( As a server engineer, I've
    had to deal with the NIMDA and other worms/virii/.... as you can guess,
    that was a little worrisome.

    Chris

    -----Original Message-----
    From: Chris Berry [mailto:compjma@hotmail.com]
    Sent: Monday, November 11, 2002 4:03 PM
    To: security-basics@securityfocus.com
    Subject: Re: Open All Outbound Ports?

    >From: tony tony <tonytorri@yahoo.com>
    >Our firewall group has came to me several times over the last few >months
    >wanting my approval to open all of the "OUTBOUND" ports on our >firewall
    >facing the internet.

    Not a good idea. One of the most important things during a security breach
    is to keep the attacker from using your platform as a staging ground. By
    preventing them from commincating freely, you greatly retard their
    capabilities. For example, a trojan will probably try to "phone home" and
    if you have blocking set up this will show in your logs. By opening all
    your outbound ports you're just asking to be a DDOS zombie, warez ftp
    server, etc.

    >Their argument is that this would not >significantly reduce our >security

    Not true, just like a military base its important to know what is going out
    as well as what is coming in.

    >and it will reduce their time/effort in administration.

    Possibly true, although the amount of time it takes to open a set of ports
    can't be very long.

    >They claim they get several requests a week to open up out bound ports >and
    >the number keeps growing each month.

    How can this be true, this would make me highly suspicious, I would want a
    record of all the ports they've opened over the last three months and what
    programs/services they opened them for. I mean unless you guys are going
    through some kind of major upgrade cycle their should be little or no change
    in your port list on a monthly basis.

    >They want to go for the gusto...and >open up all 65,000+ outbound ports.
    >I am in the security area and they want my agreement/sign off before >they
    >do this. It just does not "feel/smell right" but I am losing >ground with
    >my arguments. What are some good arguments I can use?

    Not only would I not sign off on this, I'd launch an investigation into
    their procedures, something definitely doesn't feel right here. I would
    suspect that they are allowing traffic that they shouldn't be just because
    someone asked for it. Kazaa for example.

    Chris Berry
    compjma@hotmail.com
    Systems Administrator
    JM Associates

    "And here in our server room you can see our Beowolf Cluster of C64's that
    keeps our enterprise on the very cutting edge of technology."

    _________________________________________________________________
    The new MSN 8: smart spam protection and 2 months FREE*
    http://join.msn.com/?page=features/junkmail