| 1 |
Grant <emailgrant <at> gmail.com> writes: |
| 2 |
|
| 3 |
> Do you block outbound ports |
| 4 |
> with a firewall or only inbound? |
| 5 |
|
| 6 |
Logging outbound traffic, and then looking |
| 7 |
at (analyzing) the outbound traffic may |
| 8 |
be of interest to you. Two extremes |
| 9 |
are wildly unpredictable: human imaginations |
| 10 |
in a collective where outbound traffic policy |
| 11 |
is constantly morphing; like a collection |
| 12 |
of young computer scientist at your local |
| 13 |
university. Like Alan alluded to, a basic |
| 14 |
nightmare of intellectual argument as to |
| 15 |
monitoring or blocking outbound traffic. |
| 16 |
|
| 17 |
In the case where the services utilized |
| 18 |
are more consistent in a pattern that is some |
| 19 |
what consistent over time. For example a network |
| 20 |
full of machines (literally machines for |
| 21 |
physical process control) or servers offering limited |
| 22 |
fixed services, then blocking outbound traffic |
| 23 |
(that should not nor never exist) could make sense. |
| 24 |
In a complex network, this may mean several different |
| 25 |
firewalls with different policies on outbound |
| 26 |
traffic. |
| 27 |
|
| 28 |
The later network may be a candidate for |
| 29 |
extensive monitoring, pattern detection and |
| 30 |
profiling of outbound traffic; with subsequent |
| 31 |
port blocking. If it's not used, block it, some |
| 32 |
would say. Whether its is more work than of value, |
| 33 |
can only be decided by the logs and the policy |
| 34 |
requirements of that network's owner. |
| 35 |
|
| 36 |
|
| 37 |
hth, |
| 38 |
James |
Archives