1 |
On Sat 20 August 2011 10:38:43 Grant did opine thusly: |
2 |
> I like the policy of blocking all ports in and out with a firewall |
3 |
> and only opening the ones you need. Bittorrent makes that |
4 |
> difficult since it connects out to unpredictable ports. Do you |
5 |
> block outbound ports with a firewall or only inbound? |
6 |
|
7 |
For the most part only inbound. Blocking outbound is pretty much |
8 |
pointless as a security measure. |
9 |
|
10 |
You cannot control what people will want to connect to outbound. Every |
11 |
time you think you have a complete list, someone will come along and |
12 |
provide you with heaps of reasons as to why their request is legit |
13 |
(and it usually is!) |
14 |
|
15 |
What you can control completely is the services you offer and on what |
16 |
ports, therefore inbound firewalls make sense. |
17 |
|
18 |
That's not to say we don't use outbound firewalls at all, we do - as a |
19 |
policy measure. Outbound port 25 is blocked so that people will use my |
20 |
relays instead. I trust them to play nice, they trust me to keep the |
21 |
service up. For us, this works well. But as a security measure the |
22 |
entire model falls apart as soon as someone with a clue comes along. I |
23 |
have this game I play with our firewall/security people where I get to |
24 |
look smug. Tool of choice? ssh |
25 |
|
26 |
The security benefits from outbound connections to my mind are: |
27 |
warm-and-fuzzy security |
28 |
cover-your-ass security |
29 |
just-do-whatever-the-damn-auditor-says-so-he-can-stfu security |
30 |
i-don't-know-what-i'm-doing security |
31 |
|
32 |
but almost never real security. That's better done with permanent ACLs |
33 |
on the routers. |
34 |
|
35 |
-- |
36 |
alan dot mckinnon at gmail dot com |