Crazy. If you gonna allow every port out, I would only only allow every port out with the introduction of a proxy server and some content filtering. But never directly out from workstation to internet.
e.g. M$ ISA Proxy server with TrendMicro Interscan WebProtect. This will at least attempt to help prevent any virus, malicious code, non-work-related sites being accessed and some form of monitoring on what is going on. The proxy server should go in your DMZ so there is never any direct traffic from your Untrusted side of your firewall to the trusted ... and vice versa. The WebProtect could go on a seperate machine in the trusted or DMZ (as it's next hop will be the proxy server), but since it's running IIS, I put it in the DMZ. All http/ftp traffic is then directed at the WebProtect installation, Anything else, by means of a ISA firewall client installed on the WK station, that is not in the LAT (Local address table), is sent to the ISA server for processing wether it is allowed or not. E.g. deny telnet but allow the HR staff to access some 3rd party recruiting application. Apart from external hackers putting backdoors in etc, what about your internal users. Where I am at we have about 300 developers who all seem to think they know best and are always requesting stuff to be opened. Upon investigation it is usually so they can access some dodgy thing they have setup at home which would just compromise any "anti-virus" or "security procedures" we have in place. It is aparent that you are blocking everything (most) out at the moment. See if you can get a look at the "denied" out logs. I look at mine all the time and always find someone is up to something, or some M$ windoze box has decided that it is going to broadcast to the world and tell everyone who it is, or one of our dodgy developers has managed to get root on a linux box and is trying to run their own mail server on it. Looking at that will probably give you some good starts e.g. Here is an exert from what I see on my deny out log .... all sorts of junk. 10.0.2.219:1391 0.0.0.0:0 208.230.130.238:5004 0 sec. UDP PORT 5004 10.0.2.141:561 0.0.0.0:0 170.152.52.141:515 0 sec. TCP PORT 515 10.0.1.16:32785 0.0.0.0:0 239.2.11.71:8649 0 sec. UDP PORT 8649 10.0.3.193:2792 0.0.0.0:0 24.150.130.49:3949 0 sec. TCP PORT 3949 10.0.3.193:2791 0.0.0.0:0 66.108.208.249:1214 0 sec. TCP PORT 1214 10.0.2.219:1391 0.0.0.0:0 208.230.130.238:5004 0 sec. UDP PORT 5004 10.0.1.150:32769 0.0.0.0:0 239.2.11.73:8649 0 sec. UDP PORT 8649 10.0.2.141:561 0.0.0.0:0 170.152.52.141:515 0 sec. TCP PORT 515 10.0.1.16:32785 0.0.0.0:0 239.2.11.71:8649 0 sec. UDP PORT 8649 Now I have to go off and find why someone is trying to print to "170.152.52.141" and what's going on with the rest. Rather than battling it out I think that if you can come up with a solution or better like what I've said, then you will get the best of both worlds. The firewall guys don't have to keep reconfiguring the firewall, the users get more functionality, you get more peace of mind, security and monitoring functionality and your BW useage should be reduced, Just my blurb on it. Cheers -----Original Message----- From: tony tony [mailto:tonytorri@;yahoo.com] Sent: Friday, November 08, 2002 2:34 PM To: [EMAIL PROTECTED] Subject: Open All Outbound Ports? Hi, Our firewall group has came to me several times over the last few months wanting my approval to open all of the "OUTBOUND" ports on our firewall facing the internet. Their argument is that this would not significantly reduce our security and it will reduce their time/effort in administration. They claim they get several requests a week to open up out bound ports and the number keeps growing each month. They want to go for the gusto.and open up all 65,000+ outbound ports. I am in the security area and they want my agreement/sign off before they do this. It just does not "feel/smell right" but I am losing ground with my arguments. What are some good arguments I can use? Tony __________________________________________________ Do you Yahoo!? U2 on LAUNCH - Exclusive greatest hits videos http://launch.yahoo.com/u2