Re: Ports getting hammered?


"Somebody." <somebody.@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:hYSuf.8388$43.1353@xxxxxxxxxxxxxxx!nnrp1.uunet.ca...
>
> "Duane Arnold" <No@xxxxxx> wrote in message
> news:YfSuf.3070$Hl6.311@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>
>>>
>>> 1. it's not on the list of allowed outbound ports/protocols
>>> 2. it's on the list of blocked outbound ports/protocols
>>> 3. it's not on the list of allowed destinations
>>> 4. it's on the list of blocked destinations
>>> 5. it contains traffic that can be identified as problematic based on
>>> signature (deep inspection)
>>> 6. the behaviour of the traffic can be identified as nefarious
>>> (metrics, threholds, or profiling)
>>> 7. combinations of the above methods
>>
>> Not to be smart here but my Watchguard is not just going to start
>> blocking outbound from some machine that it has determined that outbound
>> traffic is dubious in some nature - automatically. Maybe some of the
>> higher end models can do it but I don't have one of those. The only PFW
>> solution that I know about that will stop outbound on its own based on
>> some kind of traffic analysis of protocols being broken is Blackice in
>> conjunction with using IPsec running on the machine. That traffic that
>> was being blocked outbound just happened to be the query by the XP O/S to
>> the MS site for time sync that the XP O/S was having trouble at the time,
>> which I told BI to accept the traffic and forget about it.
>>
>> I am aware of ZA and have used it. And I know that ZA is not stopping
>> outbound on its own unless some rules are being set to stop it. It's not
>> just going to start blocking outbound on its own and many of them cannot
>> do it.
>>
>> Duane :)
>
> Well to be honest I'm not fully up on most software firewalls as I don't
> believe in them as a genre. I run one sometimes to support clients that in
> fact does inspect traffic for nefarious content and can utilize most of
> the techniques I noticed including recognizing signatures of outbound
> traffic. It's the FortiClient which is the FortiGate's IPSec client.
> That's what my comments were based on.
>
> If your Watchguard can't stop outbound traffic... is it really useful?
> Would not the Windows XP firewall do exactly the same work?

My WG can stop inbound or outbound by setting rules by port, protocol and IP
WAN or LAN IP(s). What it can't do is start doing some kind of protocol
analysis to see if protocols are being broken only a IDS application in
system can do that. Now if the FW solution host based or otherwise has an
IDS element to it, then more power to it.

>
> As far as the appliance-based approach, the FortiGate firewall line in
> fact uses all the methods I mentioned and more to stop outbound traffic,
> no matter who solicits or initiates it, and it can't be compromised by the
> malware itself. Which is what makes that approach superior to a software
> based firewall approach.

I am not going to be depending upon any solution appliance, host based or
otherwise to be making some kind of decision as to when it's going to stop
inbound or outbound based on some algorithm it maybe using on its own that
has been predetermined by some programmer. BTW I am a programmer that's what
I do for a living is write programs. If I set rules for a FW host based,
appliance or otherwise to do something to filter packets inbound or
outbound, then it had better well do it.

I am the one who is the determining factor by reviewing logs for traffic
patterns, what's dubious or not dubious in nature and where traffic is
being sent to or coming from.

The buck stops with me and not some program in the determination as to what
is happening.. I may use tools to help me make that determination. But the
buck stops with me and no where else.

Duane :)
.


.

Relevant Pages

  • Re: Ports getting hammered?
    ... >>> If your Watchguard can't stop outbound traffic... ... >>> Would not the Windows XP firewall do exactly the same work? ... >> protocol analysis to see if protocols are being broken only a IDS ... >> own that has been predetermined by some programmer. ...
    (comp.security.firewalls)
  • Re: Cant Ping Windows 2003 server after R2 Upgrade..HELP!
    ... UPDATE* -- i've enabled to the windows firewall just to see what can be ... i then adjust the ICMP setting to allow ALL icmp. ... Enable 3 Allow outbound destination unreachable ... ICMP configuration for Local Area Connection 7: ...
    (microsoft.public.win2000.active_directory)
  • Re: black ice usage question
    ... It relies on it's application control for outbound protection. ... restrict the entire machine from accessing certain ports either. ... firewall will allow the user to restrict all access to only the ports ...
    (comp.security.firewalls)
  • Re: Firewall of SP2 is good?
    ... >> PFW solutions and some people do consider App Control a limited means ... then it cannot send any outbound traffic. ... > connections to an application. ... The firewall does NOT stop any ...
    (comp.security.firewalls)
  • Re: Network Firewall/Routing Solution
    ... > for a good solution to route inbound and outbound traffic. ... > firewall combo boxes that linksys sells, and I really don't want to run ... > I will need to deal with inbound web and ftp requests from the ... > non-pasv connections. ...
    (comp.security.firewalls)