Re: outbound filtering
- From: Jim Ford <jaford@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 27 Dec 2006 19:22:57 GMT
Leythos wrote:
In article <MPG.1ffb712deac529b19896ac@xxxxxxxxxxxxxxxxxx>, casey@xxxxxxxxxxxxxxxx says...In article <MPG.1ffb6f04ea7401569896aa@xxxxxxxxxxxxxxxxxxxxxxxxxxx>, void@xxxxxxxxxxx says...In article <xn0evfczp7bkyt8002@xxxxxxxxxxxxxxxxxxxxx>, REMOVETHISbadgolferman@xxxxxxxxx says...Leythos, thank you for this excellent information. I have used many ofI have a NAT router with SPI filtering. I guess I'm relatively safeWith a NAT router, not really. With a firewall, your first rule of access is to block everything and only permit access to what is required.
from inbound baddies but not from outbound programs. Of course I am
sure that's not completely true but for the most part I believe that is
correct.
Is there an application other than a bloated PFW that can be used to
monitor outbound connections and grant access or not?
With that in mind, many people secure the internet from their systems by blocking ports 135-139, 445, 1433, 1434 outbound - so that a compromised Windows machine and other things can't use those ports to attack others on the net. Many of us also block outbound HTTP access so that only approved sites can be accessed - so that a trojan or other malware that phones home on port 80 won't be able to reach the mother to get a new download/instructions. The same is true with HTTPS, only allow access to approved sites. Email, that's nother, we don't allow POP/SMTP outbound from the LAN, except the specific address of the email server, so people can't sit at their desks and fetch email from outside the company, and if the get a SMTP malware, it can't send blindly (unless it tries to relay through the mail server).....
There is no reliable means to have the appliance block an application on your computer, but you can block what the computer accesses.
these points in my Sygate setup for the last 4-yrs with good results.
Here is an example of port blocking that I use.
Blocked TCP Ports
Traffic Direction: Outbound
Remote ports
1-12,14-24,26-42,44-79,81-109,111-118,120-442,444-8079,8081-11370,11372-65535
Local ports
1-1024,1600-65535
Traffic Direction: Inbound
Remote ports
1-65535
Local ports
1-1024, 1600-65535
That's a good set, but, in a typical firewall, everything is blocked by default, only permitted by adding a rule, so it can save a lot of work.
Thanks for your informative and considerate response, Lethos - a complete contrast to the spiteful and vituperate replies by Sebastian Gottschalk. I'm sure the O.P. and others on this forum also appreciate your contributions.
Jim Ford
.
- References:
- outbound filtering
- From: badgolferman
- outbound filtering
- Prev by Date: Re: outbound filtering
- Next by Date: Re: Attack Detected
- Previous by thread: Re: outbound filtering
- Next by thread: Re: outbound filtering
- Index(es):
Relevant Pages
|
