- Posts: 1302
- Thank you received: 0
Any suggestion on other ports to deny?
19 years 5 months ago #8872
by DaLight
Replied by DaLight on topic Re: Any suggestion on other ports to deny?
I agree with TheBishop and eddydreni. It may seem a bit scary locking down all outgoing ports by default, but it's the best way to go. It gives you full control and knowledge of what's going out of your system. I did it about a year ago on my network and after the initial configuration issues, it works like a dream. You will probably find that most of your users require ports 80(HTTP) and 443(HTTPS) and you can add the others as required.
19 years 5 months ago #8907
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: Any suggestion on other ports to deny?
"That which is not expressly permitted is disallowed"
I cannot overstate this enough -- If you follow the other axiom
"That which is not expressly denied is permitted"
Then you do *not* have an access control solution.
I'm afraid if you want security, you'll have to work with those developers, maybe in a testbed setup...
Developers always make these mistakes.. even when coding they blacklist certain inputs and allow everything else.. when they should be whitelisting only valid input and denying everything else.
There are two very simple weaknesses in your access-control strategy
1) Attackers can easily change the default ports in backdoors to ports that your filtering device allows
2) You cannot feasibly respond to a new threat working on a new port in human-time (think slammer -- 8 minutes for total infection worldwide)...
Cheers mate,
I cannot overstate this enough -- If you follow the other axiom
"That which is not expressly denied is permitted"
Then you do *not* have an access control solution.
I'm afraid if you want security, you'll have to work with those developers, maybe in a testbed setup...
Developers always make these mistakes.. even when coding they blacklist certain inputs and allow everything else.. when they should be whitelisting only valid input and denying everything else.
There are two very simple weaknesses in your access-control strategy
1) Attackers can easily change the default ports in backdoors to ports that your filtering device allows
2) You cannot feasibly respond to a new threat working on a new port in human-time (think slammer -- 8 minutes for total infection worldwide)...
Cheers mate,
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
19 years 4 months ago #8972
by UHSsncmrm
A scapegoat is often as welcome as a solution...never memorize what you can look up.
Replied by UHSsncmrm on topic Re: Any suggestion on other ports to deny?
I agree whole-heartedly it's just getting buy-in to make those wholesale changes (unfortunately.)
A scapegoat is often as welcome as a solution...never memorize what you can look up.
19 years 4 months ago #8973
by Lexion
Replied by Lexion on topic Re: Any suggestion on other ports to deny?
Does your current firewall support logging if so have a look in it.
I would go about trying to turn the firewall round in this way.
Create a allow all rule and enable logging.
once I start to get data in the log I would see what I know is legit traffic and create a rule above the default allow rule and keep clearing the log till I have gotten as much legit traffic as possible.
This may take some time but once you have weeded out what you know is good you can then start to track down some of the ports that you are unsure of then turn the default allow rule into a default deny all and you should be all sorted.
I would go about trying to turn the firewall round in this way.
Create a allow all rule and enable logging.
once I start to get data in the log I would see what I know is legit traffic and create a rule above the default allow rule and keep clearing the log till I have gotten as much legit traffic as possible.
This may take some time but once you have weeded out what you know is good you can then start to track down some of the ports that you are unsure of then turn the default allow rule into a default deny all and you should be all sorted.
Time to create page: 0.128 seconds