1. No! Only allow outbound of what is absolutely required to make your web apps (if any work). For example, maybe an LDAP or database server.
2. Yes! For example, I've seen a place with two rules setup for outbound http/https/ftp access in CP FW-1: second one blocked all outbound http/s/ftp access from webservers; first one allowed them with user authentication for the web server admins so they could update them easily. Put a short time limit before auth expires, just a few minutes. If a machine does manage to get infected by a Nimda/CR type worm, it at least won't spread through a web vector. 3. Only what's absolutely required, see number (1). > From: Craig Brauckmiller [mailto:[EMAIL PROTECTED]] > I have our IIS 5 server sitting on a private network with > an IP of 10.2.32.20. It is being NAT'd via CheckPoint NG. > I only allow HTTP traffic in to the web server but I allow > the server unrestricted access out from the network. > > 1. Is this a good idea? > > 2. Should I lock down the web server's outbound ports to > prevent Nimda/CodeRed type infections from propigating from > my server? > > 3. What ports should I allow the server to go out on if any? > > Thanks in advance. > > Craig Brauckmiller >
