Darrin,
I' say this is a very common problem faced by folks administering firewalls
day to day.
One solution that I'd suggest is to create a new perimeter network, called
the "play pen" (some call it a "pig pen") where you let these various
protocols terminate. Put a server (or servers) in the play pen that can
terminate your end (usually the client end) of the connection and then
allow the users from the inside to reach those servers after they have
authenticated through the firewall.
This way (as long as you set up good user logging on the firewall) you know
who is actually using the application and can get an idea of "how much"
they are using it. If problems come up (because we all know they will) you
have that log data and can correlate how the problem started.
I had a customer do this and he found on examining the logs that several
nasty viruses had come into the network through the "pen". This customer
was able to determine almost the exact time and the user that brought them
in and used that info to shut down what turned out to be an un-needed
subscription based service.
Hope this helps.
Regards,
Brian
>Date: Thu, 1 Feb 2001 10:32:36 -0000
>From: Darrin Johansen <[EMAIL PROTECTED]>
>Subject: opening outgoing ports - standards?
>
>Hi,
>
>The security team at my company is coming under increasing pressure to start
>opening all sorts of outgoing port numbers every time a project manager
>decides to use a piece of software that needs internet access. This is
>becoming a real problem for us, and I would imagine it is for many people?
>
>We need to gather some 'ammunition' to back up our case for insisting
>software uses internet standards (i.e. html or java and uses port 80 etc)
>rather than being written in something like Cobra (port 15000 - 150015) and
>Netstore (16384)
>
>If anybody has any links or info it would be gratefully received. Opinions
>obviously also welcome, but please state the type of company or situation
>your firewalls are used in if possible etc
>
>Sort of questions we get is:
>"We let browsing happen on port 80, why not other applications on other
>ports?"
>"What's so bad about using just any old port, surely they are all the same"
>
>Cheers, dj
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
