Re: Closing ports

In article <Xns99706C7489AEFjuergennieveler@xxxxxxxxxxxx>,
juergen.nieveler.nospam@xxxxxxxx (Juergen Nieveler) wrote:

*From:* Juergen Nieveler <juergen.nieveler.nospam@xxxxxxxx>
*Date:* 17 Jul 2007 13:55:51 GMT

doricnews@xxxxxxxxxxxxxx (Brian) wrote:

Received wisdom has been that all outgoing ports, other than those
actually required for use (e.g. for DNS, the web, e-mail, newsgroups
and possibly some others) should be closed.

That's a common security measure, usually used in conjunction with a
mandatory proxy server

However, I find it difficult to believe that any serious bug wanting
to report home would try to use any port other than one of those
is almost certain to be open, and therefore I wonder how important
now is to close all unused outgoing ports.

True, malware writers have adapted - up to the pint where they use
Internet Explorer itself to connect out (thus defeating some
application monitoring systems and proxy servers)

I have always followed that practice (using IPCop) but I have found
rather annoying when I want to use ftp. For example, I have found
using FillZilla that one needs to open 30 or so consecutive ports
in order to use passive ftp.

FTP is a nightmare from a fireall POV - it wasn't really designed
with firewalls in mind, and passive FTP was a hasty add-on to deal
with them.

My question is not entirely academic because circumstances may force
me to use a firewall which does not have the ability to close

Closing outbound ports can enhance security, but not being able to do
so shouldn't be a showstopper. However, it means that you can't
control who can connect outbound should you desire so...

Juergen Nieveler
Give me the money that has been spent in war, and ... I will clothe
every man, woman and child in attire of which kings and queens would
be proud.
Henry Richard

Thanks for your comments Juergen.

I had not realised that bugs were able to use Internet Explorer for
outward transmissions. Although, as you intimate this ability will
reduce the worth of programs like Zone Alarm, I suppose that programs
like ProcessGuard, which the defunct company DiamondCS use to market,
may be able to detect activity which would warn a user of something