Re: Ports getting hammered?




"Duane Arnold" <No@xxxxxx> wrote in message
news:YfSuf.3070$Hl6.311@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
>>
>> 1. it's not on the list of allowed outbound ports/protocols
>> 2. it's on the list of blocked outbound ports/protocols
>> 3. it's not on the list of allowed destinations
>> 4. it's on the list of blocked destinations
>> 5. it contains traffic that can be identified as problematic based on
>> signature (deep inspection)
>> 6. the behaviour of the traffic can be identified as nefarious (metrics,
>> threholds, or profiling)
>> 7. combinations of the above methods
>
> Not to be smart here but my Watchguard is not just going to start blocking
> outbound from some machine that it has determined that outbound traffic is
> dubious in some nature - automatically. Maybe some of the higher end
> models can do it but I don't have one of those. The only PFW solution that
> I know about that will stop outbound on its own based on some kind of
> traffic analysis of protocols being broken is Blackice in conjunction with
> using IPsec running on the machine. That traffic that was being blocked
> outbound just happened to be the query by the XP O/S to the MS site for
> time sync that the XP O/S was having trouble at the time, which I told BI
> to accept the traffic and forget about it.
>
> I am aware of ZA and have used it. And I know that ZA is not stopping
> outbound on its own unless some rules are being set to stop it. It's not
> just going to start blocking outbound on its own and many of them cannot
> do it.
>
> Duane :)

Well to be honest I'm not fully up on most software firewalls as I don't
believe in them as a genre. I run one sometimes to support clients that in
fact does inspect traffic for nefarious content and can utilize most of the
techniques I noticed including recognizing signatures of outbound traffic.
It's the FortiClient which is the FortiGate's IPSec client. That's what my
comments were based on.

If your Watchguard can't stop outbound traffic... is it really useful?
Would not the Windows XP firewall do exactly the same work?

As far as the appliance-based approach, the FortiGate firewall line in fact
uses all the methods I mentioned and more to stop outbound traffic, no
matter who solicits or initiates it, and it can't be compromised by the
malware itself. Which is what makes that approach superior to a software
based firewall approach.

-Russ.


.



Relevant Pages

  • Re: Cant Ping Windows 2003 server after R2 Upgrade..HELP!
    ... UPDATE* -- i've enabled to the windows firewall just to see what can be ... i then adjust the ICMP setting to allow ALL icmp. ... Enable 3 Allow outbound destination unreachable ... ICMP configuration for Local Area Connection 7: ...
    (microsoft.public.win2000.active_directory)
  • Re: black ice usage question
    ... It relies on it's application control for outbound protection. ... restrict the entire machine from accessing certain ports either. ... firewall will allow the user to restrict all access to only the ports ...
    (comp.security.firewalls)
  • Re: Firewall of SP2 is good?
    ... >> PFW solutions and some people do consider App Control a limited means ... then it cannot send any outbound traffic. ... > connections to an application. ... The firewall does NOT stop any ...
    (comp.security.firewalls)
  • Re: Network Firewall/Routing Solution
    ... > for a good solution to route inbound and outbound traffic. ... > firewall combo boxes that linksys sells, and I really don't want to run ... > I will need to deal with inbound web and ftp requests from the ... > non-pasv connections. ...
    (comp.security.firewalls)
  • Re: should i install windows xp service pack 2
    ... I don't care about monitoring outbound traffic. ... some Cyber nut or spyware bot has successfully penetrated my ... firewall is very effective at stopping unwanted inbound ...
    (microsoft.public.windowsxp.general)