• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Do you filter outbound traffic?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security

View previous topic :: View next topic  

Do you filter outbound traffic?
Yes - Default deny
77%
 77%  [ 7 ]
Yes - Default allow
22%
 22%  [ 2 ]
No - No filtering at all
0%
 0%  [ 0 ]
Total Votes : 9

Author Message
Ipsec Espah
Just Arrived
Just Arrived


Joined: 16 Mar 2003
Posts: 4


Offline

PostPosted: Sun Aug 12, 2007 7:40 pm    Post subject: Do you filter outbound traffic? Reply with quote

I'm curious as to how many of you filter outbound traffic at work. Is it a default deny or allow? What are your reasons for your outbound filtering policy?
Back to top
View user's profile Send private message
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777079


Offline

PostPosted: Sun Aug 12, 2007 8:25 pm    Post subject: Reply with quote

I have seen some networks that do filter outbound traffic. Be it outbound traffic to only port 80 and 443 or other like mixtures. Some have had severe restrictions and others have been looser. I am a large proponent of filtering outbound traffic both via the router and IDS.
Back to top
View user's profile Send private message Visit poster's website
AdamV
SF Mod
SF Mod


Joined: 06 Oct 2004
Posts: 24
Location: Leeds, UK

Offline

PostPosted: Sun Aug 12, 2007 9:30 pm    Post subject: Reply with quote

I filter outbound for my home business network using default deny.

Usually if I set up customer networks I would set up their router/firewall device with default deny on outbound except (usually):
DNS on UDP 53
HTTP on TCP 80
HTTPS on TCP 443

SMTP on TCP 25 only from known internal email servers (or from all if a small network using individual POP/SMTP direct from the clients, in which case open 110 as well). Blocking random SMTP prevents spambots from working (if they did get infected).

FTP if their AV update solution depends on it, again do this from a single known server and propogate from there if this is an option in the software (ie it is enterprise class, not every machine going off to the internet individually).

If a very large network then 80 and 443 need only be from their proxy server, not from all clients.

I would add other individual ports depending on requirements, eg for a VPN tunnel to another network

Note that Vista's built-in firewall has outbound filtering capability as well as inbound (which XP sp2 already had).
Back to top
View user's profile Send private message Visit poster's website
Ipsec Espah
Just Arrived
Just Arrived


Joined: 16 Mar 2003
Posts: 4


Offline

PostPosted: Sun Aug 12, 2007 9:50 pm    Post subject: Reply with quote

Good replies so far. How have your end users reacted to this policy, and how did you convince management that a default deny policy for outbound traffic was worth it?
Back to top
View user's profile Send private message
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777079


Offline

PostPosted: Sun Aug 12, 2007 11:14 pm    Post subject: Reply with quote

The network which was tightly locked down had some griping from employees but given the place they worked, it was minimal. Several other networks I have seen had some severe aggro from the wage slaves. Then again, they thought their work had to be an ISP as well. Laughing They seem to forget they are there to work, and were it me, they would have access to the company intranet.
Back to top
View user's profile Send private message Visit poster's website
AdamV
SF Mod
SF Mod


Joined: 06 Oct 2004
Posts: 24
Location: Leeds, UK

Offline

PostPosted: Mon Aug 13, 2007 9:48 am    Post subject: Reply with quote

In the tightest lockdown situation I have done they had issues with a web-based application via their normal internet access route through Head Office and several firewalls, it was just too laggy to work.

So they eventually agreed to have a separate "dirty" network with a direct DSL connection. This was to use only this one application and nothing else, which it did and no-one complained because this was a vast improvement on their previous situation.
The machine in this separate workgroup have NO DNS entries and only have hosts for the sites they need to work. The DNS has only been left open for "administrative" use (ie me).
We have subsequently started using this connection for testing laptop VPN setups, so a couple of ports have been opened for that - this is far easier than waiting for the user to go home and then try and sort their issues over the phone.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register