Firewall madness?

Is is just me who thinks the way we block outgoing ports is madness? The
justification I see for this is usually that it stops viruses that might
get onto local PCs contacting the outside world. This is all well and
good except that it seems to be having the effect that everything is
being migrated to port 80 anyway. Surely viruses too. The problem now is
that because everything is now moving to port 80 you can't block certain
functionality just based on port anymore which is defeating the entire
purpose in the first place. Eventually everything it seems will be on
port 80. I've worked at several companies that don't block any outside
ports except maybe a few specific ones (eg 25) and the company hasn't
run into any disasters.

Thoughts?

Thanks,
Michael

On 17/05/2010 06:45, Mickel wrote:
> Is is just me who thinks the way we block outgoing ports is madness? The
> justification I see for this is usually that it stops viruses that might
> get onto local PCs contacting the outside world. This is all well and
> good except that it seems to be having the effect that everything is
> being migrated to port 80 anyway. Surely viruses too. The problem now is
> that because everything is now moving to port 80 you can't block certain
> functionality just based on port anymore which is defeating the entire
> purpose in the first place. Eventually everything it seems will be on
> port 80. I've worked at several companies that don't block any outside
> ports except maybe a few specific ones (eg 25) and the company hasn't
> run into any disasters.

The basic rule of firewalls is that you start by blocking everything and
then open up only what you need. If all your traffic is going via port
80, why would you need the other ports open anyway?

Blocking everything except what you absolutely need will also give you
insight into what's happening on your network. For example, if your
firewall logs show hundreds of denied outgoing connection requests on
port 135/137, you might want to check the source machine for viruses and
worms.

With regards to everything going via port 80 (and 443) these days, a lot
of Enterprise firewalls will now do application level filtering whereby
it can look inside the traffic and figure out what protocol has been
encapsulated inside the HTTP stream. For example, in ISA server you can
block MSN over HTTP without blocking normal web traffic. Some
firewalls/filters will also do TLS bridging which enables them to filter
traffic using a secured connection too.

One final point, remember that since the days of the Blaster worm (which
transferred itself via the RPC protocol - port 135), it's generally seen
as a good idea not only to firewall your network from the outside world,
but also to firewall your internal clients from each other.

--
Chris M.

On 17/05/10 10:52 PM, Bill Kearney wrote:
> In a work environment there are expectations of people doing, oh, say,
> actual WORK.

There's 2 problems I can see with that. The first is that people found
ways to slack off long before the internet existed and will continue to
do so. Providing a working environment that gives people the right
atmosphere where they want to work is going to be more effective.

The second problem is that it more often than not restricts people who
are trying to do, oh, say, WORK. A perfect example was the other day I
needed to log into a client's router on 8081. This was part of my job
but was blocked. Other clients have had RDP sessions available on 3390,
3391 etc for a group of machines.


> Things like web proxies and filters, along with log
> analysis, can help assure that work time and network resources are being
> used for work related purposes.

If that needs to be done then that is fine bit isn't that a different issue?

> Yet.

No problems yet and in the mean time I've been able to get my job done :-)

Michael

On 17/05/2010 14:21, Mickel wrote:
> On 17/05/10 10:52 PM, Bill Kearney wrote:
>> In a work environment there are expectations of people doing, oh, say,
>> actual WORK.
>
> There's 2 problems I can see with that. The first is that people found
> ways to slack off long before the internet existed and will continue to
> do so. Providing a working environment that gives people the right
> atmosphere where they want to work is going to be more effective.
>
> The second problem is that it more often than not restricts people who
> are trying to do, oh, say, WORK. A perfect example was the other day I
> needed to log into a client's router on 8081. This was part of my job
> but was blocked. Other clients have had RDP sessions available on 3390,
> 3391 etc for a group of machines.

It sounds to me like the following is happening here:

1. A client has their router's configuration interface exposed to the
Internet on port 8081

2. A client is exposing RDP connections to the Internet (using port
mapping on the router so you can connect to different machines using the
other port numbers)

I hope I'm wrong because neither of these are good things, point 1 in
particular.

What's wrong with using a VPN for each client? This will secure your
clients networks and also mean that you don't need to open up arbitrary
outbound port numbers depending on your clients needs.



>> Things like web proxies and filters, along with log
>> analysis, can help assure that work time and network resources are being
>> used for work related purposes.
>
> If that needs to be done then that is fine bit isn't that a different
> issue?
>
>> Yet.
>
> No problems yet and in the mean time I've been able to get my job done :-)
>
> Michael
>

On 17/05/10 6:40 PM, Chris M wrote:
> The basic rule of firewalls is that you start by blocking everything and
> then open up only what you need.

The problem is I've never worked in an environment or met someone who
has where stuff that you need unblocked for your daily work actually
gets unblocked. No one is following your basic rule. The other problem
is that you don't know what you're going to need.

> If all your traffic is going via port
> 80, why would you need the other ports open anyway?

That's a circular argument. I'm saying it's bad that everything is going
to 80 and you're replying "see you only need 80, everything's there".
That just doesn't make sense.

My opinion would be it would be better to leave everything open except
what you know might be an issue and no one is likely to need. Eg 25, 135 etc

> Blocking everything except what you absolutely need will also give you
> insight into what's happening on your network. For example, if your
> firewall logs show hundreds of denied outgoing connection requests on
> port 135/137, you might want to check the source machine for viruses and
> worms.

Can't you log this without it being blocked?

> With regards to everything going via port 80 (and 443) these days, a lot
> of Enterprise firewalls will now do application level filtering whereby
> it can look inside the traffic and figure out what protocol has been
> encapsulated inside the HTTP stream. For example, in ISA server you can
> block MSN over HTTP without blocking normal web traffic. Some
> firewalls/filters will also do TLS bridging which enables them to filter
> traffic using a secured connection too.

I guess this makes sense and it is a good thing to have but isn't this a
symptom of the problem? By blocking everything and having all these
companies move their traffic to port 80 we are just bringing this extra
complexity apon ourselves. If ports were generally left open then stuff
wouldn't be slowly migrating to 80 and we wouldn't need firewalls to
inspect packets to determine what the traffic was.

The other problem with this is you need to have a firewall that does
this. In my case I was asked by a client to block internet on several
PCs but leave several other services open (eg virus scan update). The
problem is that *every* service they asked me to leave open is on 80.

> One final point, remember that since the days of the Blaster worm (which
> transferred itself via the RPC protocol - port 135), it's generally seen
> as a good idea not only to firewall your network from the outside world,
> but also to firewall your internal clients from each other.

I can see the issue but think it would be better just to block ports
that are considered dangerous. We're going to end up with so many
services on 80 that the viruses just use 80 anyway.
>

On 17/05/2010 14:39, Mickel wrote:
>
> On 17/05/10 6:40 PM, Chris M wrote:
>> The basic rule of firewalls is that you start by blocking everything and
>> then open up only what you need.
>
> The problem is I've never worked in an environment or met someone who
> has where stuff that you need unblocked for your daily work actually
> gets unblocked. No one is following your basic rule. The other problem
> is that you don't know what you're going to need.
>
>> If all your traffic is going via port
>> 80, why would you need the other ports open anyway?
>
> That's a circular argument. I'm saying it's bad that everything is going
> to 80 and you're replying "see you only need 80, everything's there".
> That just doesn't make sense.

I don't quite understand what you're getting at. Why do you need all
your ports open if you agree that everything uses port 80. Even if you
think it's a bad thing, opening other ports up isn't going to change the
way those things work. They're still using port 80 but now you have a
load of ports open that don't need to be open.

>
> My opinion would be it would be better to leave everything open except
> what you know might be an issue and no one is likely to need. Eg 25, 135
> etc

This is bad security practise. I'm not going to explain why.

>
>> Blocking everything except what you absolutely need will also give you
>> insight into what's happening on your network. For example, if your
>> firewall logs show hundreds of denied outgoing connection requests on
>> port 135/137, you might want to check the source machine for viruses and
>> worms.
>
> Can't you log this without it being blocked?

Of course.

>> With regards to everything going via port 80 (and 443) these days, a lot
>> of Enterprise firewalls will now do application level filtering whereby
>> it can look inside the traffic and figure out what protocol has been
>> encapsulated inside the HTTP stream. For example, in ISA server you can
>> block MSN over HTTP without blocking normal web traffic. Some
>> firewalls/filters will also do TLS bridging which enables them to filter
>> traffic using a secured connection too.
>
> I guess this makes sense and it is a good thing to have but isn't this a
> symptom of the problem? By blocking everything and having all these
> companies move their traffic to port 80 we are just bringing this extra
> complexity apon ourselves. If ports were generally left open then stuff
> wouldn't be slowly migrating to 80 and we wouldn't need firewalls to
> inspect packets to determine what the traffic was.
>
> The other problem with this is you need to have a firewall that does
> this. In my case I was asked by a client to block internet on several
> PCs but leave several other services open (eg virus scan update). The
> problem is that *every* service they asked me to leave open is on 80.

That's the way things are. I don't see how you're going to get around it
by opening up more ports. Your AV software will still be using port 80
to update regardless of the other ports you have open.

>> One final point, remember that since the days of the Blaster worm (which
>> transferred itself via the RPC protocol - port 135), it's generally seen
>> as a good idea not only to firewall your network from the outside world,
>> but also to firewall your internal clients from each other.
>
> I can see the issue but think it would be better just to block ports
> that are considered dangerous. We're going to end up with so many
> services on 80 that the viruses just use 80 anyway.

OK, I'm starting to sense trolling now. Again, if you agree that
everything is starting to use the HTTP/S ports (regardless of whether
that's good or not), why would opening up a load of other ports make
things better and not worse?

--
Chris M.

"Mickel" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Is is just me who thinks the way we block outgoing ports is madness? The
> justification I see for this is usually that it stops viruses that might
> get onto local PCs contacting the outside world. This is all well and good
> except that it seems to be having the effect that everything is being
> migrated to port 80 anyway. Surely viruses too.

That is correct.

That is why firewalls worth buying don't simply look at the ports. Good
firewalls look at the traffic itself. Using ISA (TMG) Server for
example,...if you tell it that some traffic is using port 80 then it expects
the traffic to be true HTTP,...and not only that but the HTTP must follow
RFC specs exactly or it is dropped. It does FTP the same way.

Many product vendors have fallen in to a trap on this by their faulty view
of firewalls. They think,..."Well, everyone allows port 80 outbound, so we
will just make out product "do it's thing" on port 80 and it will be fine".
The problem is that their product is not using HTTP (or a sloppy HTTP) when
it does it and so it fails going through the firewall. Had they just simply
came up with a port all their own to use then it would have been a simple
thing to configure the firewall to work with it and it would have worked
fine.

BTW - "Virus" are hardly ever seen anymore. Most of the threats now are
some form of malware. The malware does not "come into" the LAN,...the user
goes to it,...gets it,...and brings it in.

--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

On 17/05/10 11:57 PM, Chris M wrote:
> I don't quite understand what you're getting at. Why do you need all
> your ports open if you agree that everything uses port 80.

I never said everything is using port 80. I have specifically mentioned
services that don't use 80 such as RDP. I said everything is slowly
moving towards 80.

> Even if you
> think it's a bad thing, opening other ports up isn't going to change the
> way those things work. They're still using port 80 but now you have a
> load of ports open that don't need to be open.

No, opening up 1433 will enable sqlserver for example.

> This is bad security practise. I'm not going to explain why.

Ok.

> That's the way things are. I don't see how you're going to get around it
> by opening up more ports. Your AV software will still be using port 80
> to update regardless of the other ports you have open.

Yes but the point I'm making is that if we didn't have this closed
policy of blocking all ports then the virus software would likely not be
using 80.

> OK, I'm starting to sense trolling now. Again, if you agree that
> everything is starting to use the HTTP/S ports (regardless of whether
> that's good or not), why would opening up a load of other ports make
> things better and not worse?

Slow down and read what I'm saying. I am not trolling.

Michael

On 17/05/10 11:35 PM, Chris M wrote:
> It sounds to me like the following is happening here:
>
> 1. A client has their router's configuration interface exposed to the
> Internet on port 8081
>
> 2. A client is exposing RDP connections to the Internet (using port
> mapping on the router so you can connect to different machines using the
> other port numbers)
>
> I hope I'm wrong because neither of these are good things, point 1 in
> particular.
>
> What's wrong with using a VPN for each client? This will secure your
> clients networks and also mean that you don't need to open up arbitrary
> outbound port numbers depending on your clients needs.

Maybe these things are bad but I didn't set them up. This was something
the client did, they just want me to connect. In these cases they were
home users. The point was that I had a requirement to use a port which I
could not have predicted ahead of time.

Michael

On 17/05/2010 16:14, Mickel wrote:
>
> On 17/05/10 11:57 PM, Chris M wrote:
>> I don't quite understand what you're getting at. Why do you need all
>> your ports open if you agree that everything uses port 80.
>
> I never said everything is using port 80. I have specifically mentioned
> services that don't use 80 such as RDP. I said everything is slowly
> moving towards 80.
>
>> Even if you
>> think it's a bad thing, opening other ports up isn't going to change the
>> way those things work. They're still using port 80 but now you have a
>> load of ports open that don't need to be open.
>
> No, opening up 1433 will enable sqlserver for example.

It certainly will. That would imply that you'd need to connect to a SQL
server that's allowing incoming connections on 1433 from the Internet? I
don't think anyone would agree that's a good idea.

Traffic such that you have described (RDP, SQL Server etc) that needs to
go via the Internet is much better served via a VPN. Not least because
those protocols can be easily sniffed for useful information - not least
the username and password that you're using to connect. A VPN tunnel
would encrypt this information. You also then only have to configure
your firewall to allow VPN connections, and you can then allow any
protocol between the two endpoints. Much easier, safer and enormously
less risky.


>> This is bad security practise. I'm not going to explain why.
>
> Ok.
>
>> That's the way things are. I don't see how you're going to get around it
>> by opening up more ports. Your AV software will still be using port 80
>> to update regardless of the other ports you have open.
>
> Yes but the point I'm making is that if we didn't have this closed
> policy of blocking all ports then the virus software would likely not be
> using 80.
>
>> OK, I'm starting to sense trolling now. Again, if you agree that
>> everything is starting to use the HTTP/S ports (regardless of whether
>> that's good or not), why would opening up a load of other ports make
>> things better and not worse?
>
> Slow down and read what I'm saying. I am not trolling.