outbound filtering - Firewalls

This is a discussion on outbound filtering - Firewalls ; Leythos wrote: > In article , > casey@notspecified.net says... >> In article , >> void@nowhere.lan says... >>> In article , >>> REMOVETHISbadgolferman@gmail.com says... >>>> I have a NAT router with SPI filtering. I guess I'm relatively safe >>>> from inbound ...

+ Reply to Thread
Page 2 of 3 FirstFirst 1 2 3 LastLast
Results 21 to 40 of 59

Thread: outbound filtering

  1. Re: outbound filtering

    Leythos wrote:
    > In article ,
    > casey@notspecified.net says...
    >> In article ,
    >> void@nowhere.lan says...
    >>> In article ,
    >>> REMOVETHISbadgolferman@gmail.com says...
    >>>> I have a NAT router with SPI filtering. I guess I'm relatively safe
    >>>> from inbound baddies but not from outbound programs. Of course I am
    >>>> sure that's not completely true but for the most part I believe that is
    >>>> correct.
    >>>>
    >>>> Is there an application other than a bloated PFW that can be used to
    >>>> monitor outbound connections and grant access or not?
    >>> With a NAT router, not really. With a firewall, your first rule of
    >>> access is to block everything and only permit access to what is
    >>> required.
    >>>
    >>> With that in mind, many people secure the internet from their systems by
    >>> blocking ports 135-139, 445, 1433, 1434 outbound - so that a compromised
    >>> Windows machine and other things can't use those ports to attack others
    >>> on the net. Many of us also block outbound HTTP access so that only
    >>> approved sites can be accessed - so that a trojan or other malware that
    >>> phones home on port 80 won't be able to reach the mother to get a new
    >>> download/instructions. The same is true with HTTPS, only allow access to
    >>> approved sites. Email, that's nother, we don't allow POP/SMTP outbound
    >>> from the LAN, except the specific address of the email server, so people
    >>> can't sit at their desks and fetch email from outside the company, and
    >>> if the get a SMTP malware, it can't send blindly (unless it tries to
    >>> relay through the mail server).....
    >>>
    >>> There is no reliable means to have the appliance block an application on
    >>> your computer, but you can block what the computer accesses.
    >>>
    >>>

    >> Leythos, thank you for this excellent information. I have used many of
    >> these points in my Sygate setup for the last 4-yrs with good results.
    >> Here is an example of port blocking that I use.
    >>
    >> Blocked TCP Ports
    >>
    >> Traffic Direction: Outbound
    >> Remote ports
    >> 1-12,14-24,26-42,44-79,81-109,111-118,120-442,444-8079,8081-11370,11372-65535
    >> Local ports
    >> 1-1024,1600-65535
    >>
    >> Traffic Direction: Inbound
    >> Remote ports
    >> 1-65535
    >> Local ports
    >> 1-1024, 1600-65535

    >
    > That's a good set, but, in a typical firewall, everything is blocked by
    > default, only permitted by adding a rule, so it can save a lot of work.
    >


    Thanks for your informative and considerate response, Lethos - a
    complete contrast to the spiteful and vituperate replies by Sebastian
    Gottschalk. I'm sure the O.P. and others on this forum also appreciate
    your contributions.

    Jim Ford

  2. Re: outbound filtering

    In article ,
    jaford@watford53.freeserve.co.uk says...
    > Thanks for your informative and considerate response, Lethos - a
    > complete contrast to the spiteful and vituperate replies by Sebastian
    > Gottschalk. I'm sure the O.P. and others on this forum also appreciate
    > your contributions.


    Careful, if you say nice things about me SG will kill-file you as a
    troll

    Really, I design secure network for a living, at the medical,
    government, intel, military levels, and have never had a compromised
    network. I'm sure the SG and his group could help if they were not so
    stuck on their own importance.

    Let me know if you need anything else.

    --

    spam999free@rrohio.com
    remove 999 in order to email me

  3. Re: outbound filtering

    Jim Ford wrote:

    > Thanks for your informative and considerate response,


    And a useless one. The things stated above won't stop just the littlest
    program from "phoning home".

    > I'm sure the O.P. and others on this forum also appreciate
    > your contributions.


    You still don't get it? This is no forum, this is Usenet.

  4. Re: outbound filtering

    Leythos wrote:
    > jaford@watford53.freeserve.co.uk says...


    >> Thanks for your informative and considerate response, Lethos - a
    >> complete contrast to the spiteful and vituperate replies by Sebastian
    >> Gottschalk. I'm sure the O.P. and others on this forum also appreciate
    >> your contributions.

    >
    > Careful, if you say nice things about me SG will kill-file you as a
    > troll
    >
    > Really, I design secure network for a living, at the medical,
    > government, intel, military levels, and have never had a compromised
    > network. I'm sure the SG and his group could help if they were not so
    > stuck on their own importance.
    >
    > Let me know if you need anything else.


    I recall I did not see mention of port range 1024-1030 as blocked or
    otherwise restricted, even though some ports in that range seem to
    gather considerable non-solicited attention:

    http://isc.sans.org/top10.php
    http://isc.sans.org/large_map.php

    There are particular applications like instant messaging clients etc.
    using some of them, but still, does blocking that range prevent
    Windows from working otherwise? I seem to do well enough without them.

    --
    S.Suikkanen

  5. Re: outbound filtering

    Killfile

    There, that's better. You can call me names all you want now, since I
    won't have to listen to it. Anyway, to the OP, seriously, listen to the
    rest of us, but pay no attention to Sebastian Gottschalk. He really
    gives the usenet community a bad name.

    Will

  6. Re: outbound filtering

    In article <4vfsulF1c5ci9U1@mid.dfncis.de>, seppi@seppig.de says...
    >
    > Now please, go away. You don't have any technical knowledge at all, and
    > unless you're willing to learn, you'll just keep on spouting nonsense. I
    > won't mind you, but please stop telling such nonsense to other people who
    > don't know any better.
    >



    Hehe...do you suffer from any form of personality disorder sebastian? or
    do you have a doppelganger?
    me

  7. Re: outbound filtering

    In article , ei.posti@osoitetta.notvalid
    says...
    > Leythos wrote:
    > > jaford@watford53.freeserve.co.uk says...

    >
    > >> Thanks for your informative and considerate response, Lethos - a
    > >> complete contrast to the spiteful and vituperate replies by Sebastian
    > >> Gottschalk. I'm sure the O.P. and others on this forum also appreciate
    > >> your contributions.

    > >
    > > Careful, if you say nice things about me SG will kill-file you as a
    > > troll
    > >
    > > Really, I design secure network for a living, at the medical,
    > > government, intel, military levels, and have never had a compromised
    > > network. I'm sure the SG and his group could help if they were not so
    > > stuck on their own importance.
    > >
    > > Let me know if you need anything else.

    >
    > I recall I did not see mention of port range 1024-1030 as blocked or
    > otherwise restricted, even though some ports in that range seem to
    > gather considerable non-solicited attention:
    >
    > http://isc.sans.org/top10.php
    > http://isc.sans.org/large_map.php
    >
    > There are particular applications like instant messaging clients etc.
    > using some of them, but still, does blocking that range prevent
    > Windows from working otherwise? I seem to do well enough without them.


    I actually have rule in our firewalls (yes, multiple units at many
    locations) that will auto-block any host probing 1026 or 1027, for 20
    minutes. On our developers network, where we do the same for 445 probes,
    we're currently blocking about 60 sites that have probed or been
    classified as unapproved probing. This list has been as high as 300+
    sites, but it's dynamic - meaning they are blocked for 20 minutes
    automatically, then resets. If I see them in the logs to many times I
    just setup a permanent ban on that IP.


    --

    spam999free@rrohio.com
    remove 999 in order to email me

  8. Re: outbound filtering

    Sauli Suikkanen wrote:

    > I recall I did not see mention of port range 1024-1030 as blocked or
    > otherwise restricted, even though some ports in that range seem to
    > gather considerable non-solicited attention:
    >
    > http://isc.sans.org/top10.php
    > http://isc.sans.org/large_map.php


    Well, do you know why? Windows tries to assign the lowest ephemeral ports
    to RPC services, so they usually end up at 1025-1030. Task Scheduler, if
    not unbound, is such a very typical service. It usually ends up at 1025,
    and had various security vulnerabilities.

    > There are particular applications like instant messaging clients etc.
    > using some of them,


    Ehm... these are ephemeral ports, thus they can be used by ANY application.

    > but still, does blocking that range prevent Windows from working otherwise?


    Eh... exactly ANY application?

    > I seem to do well enough without them.


    Sure, you won't notice it. Windows by default choses ephemeral ports from
    1025-5000, thus if you block 6 out, your chance of noticing an application
    error is 6/(5000-1025+1) ~ 0.15 %. Unlikely that you could contribute such
    a seldom error to such a misconfiguration

    At any rate, it would be a much wiser choice to exclude this range from
    being used by applications. Heck, you can do this even in Windows!

  9. Re: outbound filtering

    William, 12/27/2006,4:02:13 PM, wrote:

    > Killfile
    >
    > There, that's better. You can call me names all you want now, since
    > I won't have to listen to it. Anyway, to the OP, seriously, listen
    > to the rest of us, but pay no attention to Sebastian Gottschalk. He
    > really gives the usenet community a bad name.
    >
    > Will


    I got that impression a few days ago but it was fun watching you two
    banter. Don't give up on him yet!

    I decided to reinstall a PFW for outbound control. For now I am trying
    to learn Comodo PFW, although it seems more complicated than the Sygate
    5.6 I was using before.

  10. Re: outbound filtering

    On Wed, 27 Dec 2006 21:09:43 +0100, Sebastian Gottschalk
    wrote:

    >> I'm sure the O.P. and others on this forum also appreciate
    >> your contributions.

    >
    >You still don't get it? This is no forum, this is Usenet.


    That contributes nothing to the discussion at hand other than to
    illustrate your limited understanding of the English language.



    "a medium (as a newspaper or online service) of open discussion or
    expression of ideas"

    If you take a look at you might
    learn to remedy your deficiency so you don't look so foolish in the
    future.

    --
    John

  11. Re: outbound filtering

    John Wilson wrote:

    >>> I'm sure the O.P. and others on this forum also appreciate
    >>> your contributions.

    >>
    >>You still don't get it? This is no forum, this is Usenet.

    >
    > That contributes nothing to the discussion at hand


    It does. Usenet is not a support medium, it's a medium for discussion. As
    such, there's no reason for answering questions to a poster just because he
    asks, or to stick with his intended topic, or even refer to the original
    discussion point.

    In fact, a well-known Usenet law states that every sufficient long
    discussion ends up with the topic "beer", no matter what the original topic
    was. :-)

    > other than to
    > illustrate your limited understanding of the English language.
    >
    >
    >
    > "a medium (as a newspaper or online service) of open discussion or
    > expression of ideas"


    Seems like your understanding is limited as well. It doesn't mean that
    every such medium is a forum. Just like a blackboard that can be used for
    discussion isn't a forum, Usenet as the digital variant of a blackboard
    isn't either.

    > If you take a look at you might
    > learn to remedy your deficiency so you don't look so foolish in the
    > future.


    You mean as foolish as you're looking now for not checking
    , which explicitly differs
    between forums and newsgroups?

  12. Re: outbound filtering

    On Thu, 28 Dec 2006 16:52:00 +0100, Sebastian Gottschalk
    wrote:

    >You mean as foolish as you're looking now for not checking
    >, which explicitly differs
    >between forums and newsgroups?


    Where in the sentence "I'm sure the O.P. and others on this forum also
    appreciate your contributions." do you see "Internet forum"?

    For your education:

    Maybe you should stick to your area of expertise and avoid advising
    others about the English language.

    --
    John

  13. Re: outbound filtering

    John Wilson wrote:

    > Where in the sentence "I'm sure the O.P. and others on this forum also
    > appreciate your contributions." do you see "Internet forum"?


    And what is context?

    > For your education:




    > Maybe you should stick to your area of expertise and avoid advising
    > others about the English language.


    Nah, I just missed to insert the fup2.

  14. Re: outbound filtering

    In article <4vi7ikF1c0plcU1@mid.dfncis.de>, seppi@seppig.de says...
    > John Wilson wrote:
    >
    > >>> I'm sure the O.P. and others on this forum also appreciate
    > >>> your contributions.
    > >>
    > >>You still don't get it? This is no forum, this is Usenet.

    > >
    > > That contributes nothing to the discussion at hand

    >
    > It does. Usenet is not a support medium, it's a medium for discussion. As
    > such, there's no reason for answering questions to a poster just because he
    > asks, or to stick with his intended topic, or even refer to the original
    > discussion point.


    Discussion encompasses support questions - which is one of the reasons
    that Usenet was started. Usenet was setup so that GROUPS of people in
    different locations could communicate with each other in specific topic
    areas and most all of them were questions/answers.

    You are way off base again SG.

    --

    spam999free@rrohio.com
    remove 999 in order to email me

  15. Re: outbound filtering

    On 12/27/2006 7:49 PM, something possessed badgolferman to write:
    > William, 12/27/2006,4:02:13 PM, wrote:
    >
    >> Killfile
    >>
    >> There, that's better. You can call me names all you want now, since
    >> I won't have to listen to it. Anyway, to the OP, seriously, listen
    >> to the rest of us, but pay no attention to Sebastian Gottschalk. He
    >> really gives the usenet community a bad name.
    >>
    >> Will

    >
    > I got that impression a few days ago but it was fun watching you two
    > banter. Don't give up on him yet!
    >
    > I decided to reinstall a PFW for outbound control. For now I am trying
    > to learn Comodo PFW, although it seems more complicated than the Sygate
    > 5.6 I was using before.

    Well, that's good. Best of luck to you. I guess one of the perks (and
    curses as well) to usenet is it's more or less unmoderated, so free
    speech slices both ways.

  16. Re: outbound filtering

    On Thu, 28 Dec 2006 17:23:56 +0100, Sebastian Gottschalk
    wrote:

    >John Wilson wrote:
    >
    >> Where in the sentence "I'm sure the O.P. and others on this forum also
    >> appreciate your contributions." do you see "Internet forum"?

    >
    >And what is context?


    There's nothing about the context that limits the meaning of "forum"
    to mean "Internet forum" or, as you seem to want to further limit
    things, "web based forum".

    We can continue this as long as you like but you should be aware that
    your ineptitude is quite obvious to readers for whom English is their
    first language.

    It occurs to me that someone who pretends to be an English language
    expert might also pretend to be an expert in other areas.

    --
    John

  17. Re: outbound filtering

    John Wilson wrote:
    > On Thu, 28 Dec 2006 17:23:56 +0100, Sebastian Gottschalk
    > wrote:
    >
    >> John Wilson wrote:
    >>
    >>> Where in the sentence "I'm sure the O.P. and others on this forum also
    >>> appreciate your contributions." do you see "Internet forum"?

    >> And what is context?

    >
    > There's nothing about the context that limits the meaning of "forum"
    > to mean "Internet forum" or, as you seem to want to further limit
    > things, "web based forum".
    >
    > We can continue this as long as you like but you should be aware that
    > your ineptitude is quite obvious to readers for whom English is their
    > first language.
    >
    > It occurs to me that someone who pretends to be an English language
    > expert might also pretend to be an expert in other areas.
    >


    Hey, I'm missing Mr Nasty already - I'm un-filtering him now!

    Jim Ford

  18. Re: outbound filtering

    On 12/28/2006 10:02 AM, something possessed Jim Ford to write:
    > John Wilson wrote:
    >> On Thu, 28 Dec 2006 17:23:56 +0100, Sebastian Gottschalk
    >> wrote:
    >>
    >>> John Wilson wrote:
    >>>
    >>>> Where in the sentence "I'm sure the O.P. and others on this forum also
    >>>> appreciate your contributions." do you see "Internet forum"?
    >>> And what is context?

    >>
    >> There's nothing about the context that limits the meaning of "forum"
    >> to mean "Internet forum" or, as you seem to want to further limit
    >> things, "web based forum".
    >>
    >> We can continue this as long as you like but you should be aware that
    >> your ineptitude is quite obvious to readers for whom English is their
    >> first language.
    >>
    >> It occurs to me that someone who pretends to be an English language
    >> expert might also pretend to be an expert in other areas.
    >>

    >
    > Hey, I'm missing Mr Nasty already - I'm un-filtering him now!
    >
    > Jim Ford

    Great, I'm not. For some reason, I get the feeling that somehow reading
    his posts makes my intelligence quotient drop a few points. Is it
    possible to get dumber from reading someone else's rantings even if you
    don't subscribe to their ideas?

  19. Re: outbound filtering

    William wrote:
    > On 12/28/2006 10:02 AM, something possessed Jim Ford to write:
    >> Hey, I'm missing Mr Nasty already - I'm un-filtering him now!


    > Great, I'm not. For some reason, I get the feeling that somehow reading
    > his posts makes my intelligence quotient drop a few points. Is it
    > possible to get dumber from reading someone else's rantings even if you
    > don't subscribe to their ideas?


    No William let's face it, he's too smart for us. Not only is he an
    expert on computer security, but he's an expert in the English language.
    Why, if I was to suggest that he was a bit of a 'Douglas', the geezer
    would cotton on quicker than the proverbial - if you follow my drift!
    It would also be no good at all to suggest that he frequently puts 'is
    tootsie in 'is norf 'n sarf 'cos 'eed be onto our malarky in a flash -
    even if he is a 'Hampton'!
    (I hope I haven't lost out Transatlantic friends here!)

    ;^)

  20. Re: outbound filtering

    badgolferman wrote:
    > I decided to reinstall a PFW for outbound control.


    Sincere condolences, that you're fooled.

    Yours,
    VB.
    --
    "Life was simple before World War II. After that, we had systems."
    Grace Hopper

+ Reply to Thread
Page 2 of 3 FirstFirst 1 2 3 LastLast