Grant <emailgrant <at> gmail.com> writes: > Do you block outbound ports > with a firewall or only inbound?
Logging outbound traffic, and then looking at (analyzing) the outbound traffic may be of interest to you. Two extremes are wildly unpredictable: human imaginations in a collective where outbound traffic policy is constantly morphing; like a collection of young computer scientist at your local university. Like Alan alluded to, a basic nightmare of intellectual argument as to monitoring or blocking outbound traffic. In the case where the services utilized are more consistent in a pattern that is some what consistent over time. For example a network full of machines (literally machines for physical process control) or servers offering limited fixed services, then blocking outbound traffic (that should not nor never exist) could make sense. In a complex network, this may mean several different firewalls with different policies on outbound traffic. The later network may be a candidate for extensive monitoring, pattern detection and profiling of outbound traffic; with subsequent port blocking. If it's not used, block it, some would say. Whether its is more work than of value, can only be decided by the logs and the policy requirements of that network's owner. hth, James
