Opening outgoing ports are always a big issue. In general if your
corporate policy permits block all ports first and open only desired
outgoing ports. Smart people can can always piggyback on opened ports
from inside to outside if they want to, so outgoing port 80 open doesn't
mean people from inside is just web browsing. As many vendors start
using port 80 for their servers (especially ASPs) as they know 99.99% of
organization allow web browsing for their employees so they use this
information to make their product popular.
In general if you are opening outgoing ports be cautious with ports like
NFS(mountd), Netbios, NIS, RPC, Win2K shares port, etc. better block
these always.
Most importantly X11 ports (6000 - 6064). If these ports are open and
you have UNIX box inside, anybody from inside can just give shell window
(like xterm) etc. to outside by using commands like
setenv DISPLAY outsider_machine:0
xterm
(Assuming outsider has Xserver like any unix/linux machine or Xserver
emulation software on PC)
Rajeev
"Reckhard, Tobias" wrote:
>
> > The security team at my company is coming under increasing pressure to
> > start opening all sorts of outgoing port numbers every time a project
> > manager decides to use a piece of software that needs internet access.
> > This is becoming a real problem for us, and I would imagine it is for many
> > people?
> >
> I imagine so..
>
> > We need to gather some 'ammunition' to back up our case for insisting
> > software uses internet standards (i.e. html or java and uses port 80 etc)
> > rather than being written in something like Cobra (port 15000 - 150015)
> > and Netstore (16384)
> >
> Actually, you should be glad they don't use port 80 or other 'standard'
> ports. The considerable motion to 'tunnel everything over HTTP' ((c) Paul D.
> Robertson ;-)) is generally viewed as not being welcome in security circles.
> Come to think of it, there was a thread about the very topic of 'new
> protocols and firewalls' on this list a couple of months ago..
>
> > Sort of questions we get is:
> > "We let browsing happen on port 80, why not other applications on other
> > ports?"
> >
> A valid question, really. Your problem is actually that you are being
> consulted too late in the game. You as the security people should be in the
> project from the start and advise on ways to perform whatever business tasks
> there are in a secure manner. As it is, I'd rather open up one port than
> have people flinging everything at port 80 and me not knowing what is
> traversing the borders.. Of course, many people here prefer to use
> application-specific proxies where they can and that would force the
> 'uncooperative developers' to use HTTP instead of their own protocol.
> Thinking about that a second, though, that's probably the way quite a few
> will work anyhow, since libraries with HTTP communication are already
> available to them..
>
> > "What's so bad about using just any old port, surely they are all the
> > same"
> >
> Which is perfectly true.
>
> Regards,
> Tobias
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
--
********************************************************************
Rajeev Kumar ([EMAIL PROTECTED])
http://www.rajeevnet.com
********************************************************************
-- PGP PUBLIC KEY -- http://www.rajeevnet.com/crypto/mypubkey
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
