Re: Closing ports



In article <Xns99706C7489AEFjuergennieveler@xxxxxxxxxxxx>,
juergen.nieveler.nospam@xxxxxxxx (Juergen Nieveler) wrote:

*From:* Juergen Nieveler <juergen.nieveler.nospam@xxxxxxxx>
*Date:* 17 Jul 2007 13:55:51 GMT

doricnews@xxxxxxxxxxxxxx (Brian) wrote:

Received wisdom has been that all outgoing ports, other than those
actually required for use (e.g. for DNS, the web, e-mail, newsgroups
and possibly some others) should be closed.

That's a common security measure, usually used in conjunction with a
mandatory proxy server

However, I find it difficult to believe that any serious bug wanting
to report home would try to use any port other than one of those
which
is almost certain to be open, and therefore I wonder how important
it
now is to close all unused outgoing ports.

True, malware writers have adapted - up to the pint where they use
Internet Explorer itself to connect out (thus defeating some
application monitoring systems and proxy servers)

I have always followed that practice (using IPCop) but I have found
it
rather annoying when I want to use ftp. For example, I have found
using FillZilla that one needs to open 30 or so consecutive ports
in order to use passive ftp.

FTP is a nightmare from a fireall POV - it wasn't really designed
with firewalls in mind, and passive FTP was a hasty add-on to deal
with them.

My question is not entirely academic because circumstances may force
me to use a firewall which does not have the ability to close
outgoing
ports.

Closing outbound ports can enhance security, but not being able to do
so shouldn't be a showstopper. However, it means that you can't
control who can connect outbound should you desire so...

Juergen Nieveler
--
Give me the money that has been spent in war, and ... I will clothe
every man, woman and child in attire of which kings and queens would
be proud.
Henry Richard



Thanks for your comments Juergen.

I had not realised that bugs were able to use Internet Explorer for
outward transmissions. Although, as you intimate this ability will
reduce the worth of programs like Zone Alarm, I suppose that programs
like ProcessGuard, which the defunct company DiamondCS use to market,
may be able to detect activity which would warn a user of something
untoward.

Brian






.



Relevant Pages

  • NATD and Passive FTP
    ... I'm trying to get a passive ftp server running and failing miserably. ... I've forwarded all ports on the ADSL router so it's effectively in DMZ ... mode (it doesn't actually have a DMZ mode but forwarding 1-79, 81-9999, ...
    (comp.unix.bsd.freebsd.misc)
  • Re: RRAS and Passive FTP.
    ... i realise i can edit IIS to restrict the ports but i ... the Aplication layer gateway but it made no difference. ... passive FTP and RRAS or anything that can help me? ...
    (microsoft.public.win2000.ras_routing)
  • RE: Open All Outbound Ports?
    ... A pretty good explanation of Active vs Passive FTP. ... Subject: Open All Outbound Ports? ... discovered this, after only 1 week on site :-( As a server engineer, I've ...
    (Security-Basics)
  • i need Ports for 4.8
    ... I am trying get Ports for my jailed FreeBSD 4.8 virtual host and I'm using ... I choose Passive FTP and use the ftp.freebsd.org ... FTP server. ... It will let me input any address I want does anyone know an address to get Ports ...
    (freebsd-questions)
  • Re: Download
    ... use passive ftp or some port of your ports may be blocked by the ISP ... Try switching to passive ftp first, or if that is they way you ... start checking ports and your ISP's policies. ...
    (freebsd-questions)