Do you filter outbound traffic?

Networking/Security Forums -> Firewalls // Intrusion Detection - External Security
Do you filter outbound traffic?
Yes - Default deny
77%
 77%  [ 7 ]
Yes - Default allow
22%
 22%  [ 2 ]
No - No filtering at all
0%
 0%  [ 0 ]
Total Votes : 9


Author: Ipsec Espah PostPosted: Sun Aug 12, 2007 7:40 pm    Post subject: Do you filter outbound traffic?
    ----
I'm curious as to how many of you filter outbound traffic at work. Is it a default deny or allow? What are your reasons for your outbound filtering policy?

Author: alt.don PostPosted: Sun Aug 12, 2007 8:25 pm    Post subject:
    ----
I have seen some networks that do filter outbound traffic. Be it outbound traffic to only port 80 and 443 or other like mixtures. Some have had severe restrictions and others have been looser. I am a large proponent of filtering outbound traffic both via the router and IDS.

Author: AdamVLocation: Leeds, UK PostPosted: Sun Aug 12, 2007 9:30 pm    Post subject:
    ----
I filter outbound for my home business network using default deny.

Usually if I set up customer networks I would set up their router/firewall device with default deny on outbound except (usually):
DNS on UDP 53
HTTP on TCP 80
HTTPS on TCP 443

SMTP on TCP 25 only from known internal email servers (or from all if a small network using individual POP/SMTP direct from the clients, in which case open 110 as well). Blocking random SMTP prevents spambots from working (if they did get infected).

FTP if their AV update solution depends on it, again do this from a single known server and propogate from there if this is an option in the software (ie it is enterprise class, not every machine going off to the internet individually).

If a very large network then 80 and 443 need only be from their proxy server, not from all clients.

I would add other individual ports depending on requirements, eg for a VPN tunnel to another network

Note that Vista's built-in firewall has outbound filtering capability as well as inbound (which XP sp2 already had).

Author: Ipsec Espah PostPosted: Sun Aug 12, 2007 9:50 pm    Post subject:
    ----
Good replies so far. How have your end users reacted to this policy, and how did you convince management that a default deny policy for outbound traffic was worth it?

Author: alt.don PostPosted: Sun Aug 12, 2007 11:14 pm    Post subject:
    ----
The network which was tightly locked down had some griping from employees but given the place they worked, it was minimal. Several other networks I have seen had some severe aggro from the wage slaves. Then again, they thought their work had to be an ISP as well. Laughing They seem to forget they are there to work, and were it me, they would have access to the company intranet.

Author: AdamVLocation: Leeds, UK PostPosted: Mon Aug 13, 2007 9:48 am    Post subject:
    ----
In the tightest lockdown situation I have done they had issues with a web-based application via their normal internet access route through Head Office and several firewalls, it was just too laggy to work.

So they eventually agreed to have a separate "dirty" network with a direct DSL connection. This was to use only this one application and nothing else, which it did and no-one complained because this was a vast improvement on their previous situation.
The machine in this separate workgroup have NO DNS entries and only have hosts for the sites they need to work. The DNS has only been left open for "administrative" use (ie me).
We have subsequently started using this connection for testing laptop VPN setups, so a couple of ports have been opened for that - this is far easier than waiting for the user to go home and then try and sort their issues over the phone.



Networking/Security Forums -> Firewalls // Intrusion Detection - External Security


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group