More on outbound firewall rules
September 21, 2011 | POSTED BY BRETT EDGAR IN MONITORING, COMPLIANCE
In a previous article
, I mentioned two firewall rules that every network should have: blocking outbound DNS (udp/53 and tcp/53), and blocking outbound SMTP (tcp/25). I'd like to suggest a few more rules to add to that list.
The first rule to add is blocking of outbound Windows NetBIOS/SMB/RPC requests. Windows networking requests should never, never, NEVER leave an internal network. Period. If you have a situation where you need to communicate with an external IP using Windows networking, I have two suggestions for you:
- find another way to accomplish your goal, because the way you are doing it isn't correct; or
- setup a VPN connection to the external IP and force the requests to cross the VPN tunnel.
By blocking NetBIOS/SMB/RPC, you will prevent your internal systems from connecting to potentially malicious external hosts. Malware often attempts to initiate NetBIOS/SMB connections. Malware is bad. Go block the following services outbound:
My next rule suggestion is kind of cheating, because I'm going to suggest a rule to supersede the previous three: block all outbound TCP and UDP traffic between ports 0 and 1024 (and consider blocking all ports up to 65535). This moves toward implementing the theory of "default deny". Just as the default is deny for inbound traffic with specific exceptions, the default should be deny for outbound traffic with only specific exceptions. Then you can permit the services that should be allowed outbound, and while doing that you can write business justifications for allowing the traffic. Here are some suggested exceptions for an outbound default deny:
- HTTP traffic (tcp/80)
- HTTPS traffic (tcp/443)
- FTP traffic (tcp/21)
And then some optional rules, if policy permits:
- External e-mail services: POP, POP/SSL, IMAP, IMAP/SSL, and Message Submission (tcp/110, tcp/995, tcp/143, tcp/993, and tcp/587, respectively)
- Adobe Flash Real-time Streaming Protocol (RTSP) (tcp/1935)
Even better than a default deny with explicit exceptions, start employing a web proxy (a topic for another post).