Re: Unrestricted Outbound Web Server Access Opinion

From: Diego Kellner (dkepler_at_gmail.com)
Date: 05/04/05

  • Next message: Rochford, Paul: "RE: how to trace what is accessing the nic ?"
    Date: Wed, 4 May 2005 09:25:29 -0300
    To: security-basics@securityfocus.com
    
    

    Paul, the main problem with unrestricted outbound access is the one
    you mention. Once the security of the server is compromised, it is
    easier to transfer data from/to the server. It is not impossible if
    you restrict traffic to port 80, it makes it harder for the script
    kiddies.It is a good policy to have both inbound as well as outbound
    traffic restricted, and it's one the things that's usually neglected
    in some firewall solutions, such as PIX, where rules (access lists)
    are applied to inbound traffic only in the outside interface.
    The real question, however, is why is it that they need unrestricted
    outbound access?
    Regards,
    Kepler

    On 5/3/05, Paul Guibord <pguibord@tngtech.net> wrote:
    >
    > Hello All,
    >
    > Someone within our company wants our Internet facing web servers to have
    > unrestricted outbound access. Port 80 is the only port permitted from
    > the outside coming in. I need the experts opinion why we do not want to
    > permit this PLEASE. Two things I could think of are if the web servers
    > were compromised, then the hacker would have the ability offload any
    > data they want. Another being if they were infected with a worm they
    > would bring down the Internet T1 in their attempt to find other devices
    > to infect.
    >
    > Thanks in advance for everyone's input.
    >
    > Paul
    >


  • Next message: Rochford, Paul: "RE: how to trace what is accessing the nic ?"

    Relevant Pages

    • Re: BlackICE & SQL Slammer
      ... You have very limited control of outbound access with BI. ... the other personal firewalls adding this type of feature and hopefully ISS ... someone opening a server to the internet, that server is their big hole, and ...
      (comp.security.firewalls)
    • Re: How to allow POP3 SSL connections w ISA 2004
      ... external server, i.e. gmail and us.army.mil. ... "SBS Client POP3S Outbound Access Rule" ... Rule "SBS Client POP3S Outbound Access ...
      (microsoft.public.windows.server.sbs)
    • Re: Could not get into server instance
      ... As a very first step -- scan your computer for virus or Trojans, ... The alert was asking for Management Console ... > I refused this outbound access and kept retrying to get into ... > my server in Enterprise. ...
      (microsoft.public.sqlserver.security)
    • Re: Could not get into server instance
      ... >> I ran Enterprise manager, but I could not get into my ... The alert was asking for Management Console ... >> I refused this outbound access and kept retrying to get into ... >> my server in Enterprise. ...
      (microsoft.public.sqlserver.security)
    • RE: Unrestricted Outbound Web Server Access Opinion
      ... Wouldn't unrestricted outbound access allow a compromised server to be ... Unrestricted Outbound Web Server Access Opinion ...
      (Security-Basics)