Re: Ports getting hammered?


>
> 1. it's not on the list of allowed outbound ports/protocols
> 2. it's on the list of blocked outbound ports/protocols
> 3. it's not on the list of allowed destinations
> 4. it's on the list of blocked destinations
> 5. it contains traffic that can be identified as problematic based on
> signature (deep inspection)
> 6. the behaviour of the traffic can be identified as nefarious (metrics,
> threholds, or profiling)
> 7. combinations of the above methods

Not to be smart here but my Watchguard is not just going to start blocking
outbound from some machine that it has determined that outbound traffic is
dubious in some nature - automatically. Maybe some of the higher end models
can do it but I don't have one of those. The only PFW solution that I know
about that will stop outbound on its own based on some kind of traffic
analysis of protocols being broken is Blackice in conjunction with using
IPsec running on the machine. That traffic that was being blocked outbound
just happened to be the query by the XP O/S to the MS site for time sync
that the XP O/S was having trouble at the time, which I told BI to accept
the traffic and forget about it.

I am aware of ZA and have used it. And I know that ZA is not stopping
outbound on its own unless some rules are being set to stop it. It's not
just going to start blocking outbound on its own and many of them cannot do
it.

Duane :)




.