Information Security in Today's Digital Culture

More on outbound firewall rules

February 24th, 2011 | Posted by Brett Edgar in Compliance | Monitoring

In a previous article, I mentioned two firewall rules that every network should have: blocking outbound DNS (udp/53 and tcp/53), and blocking outbound SMTP (tcp/25). I’d like to suggest a few more rules to add to that list.

The first rule to add is blocking of outbound Windows NetBIOS/SMB/RPC requests. Windows networking requests should never, never, NEVER leave an internal network. Period. If you have a situation where you need to communicate with an external IP using Windows networking, I have two suggestions for you:

  1. find another way to accomplish your goal, because the way you are doing it isn’t correct; or
  2. setup a VPN connection to the external IP and force the requests to cross the VPN tunnel.

By blocking NetBIOS/SMB/RPC, you will prevent your internal systems from connecting to potentially malicious external hosts. Malware often attempts to initiate NetBIOS/SMB connections. Malware is bad. Go block the following services outbound:

  • tcp/135
  • tcp/139
  • tcp/445
  • udp/137
  • udp/138

My next rule suggestion is kind of cheating, because I’m going to suggest a rule to supersede the previous three: block all outbound TCP and UDP traffic between ports 0 and 1024 (and consider blocking all ports up to 65535). This moves toward implementing the theory of “default deny”. Just as the default is deny for inbound traffic with specific exceptions, the default should be deny for outbound traffic with only specific exceptions. Then you can permit the services that should be allowed outbound, and while doing that you can write business justifications for allowing the traffic. Here are some suggested exceptions for an outbound default deny:

  1. HTTP traffic (tcp/80)
  2. HTTPS traffic (tcp/443)
  3. FTP traffic (tcp/21)
  4. And then some optional rules, if policy permits:

  5. External e-mail services: POP, POP/SSL, IMAP, IMAP/SSL, and Message Submission (tcp/110, tcp/995, tcp/143, tcp/993, and tcp/587, respectively)
  6. Adobe Flash Real-time Streaming Protocol (RTSP) (tcp/1935)

Even better than a default deny with explicit exceptions, start employing a web proxy (a topic for another post).

Brett Edgar

Brett Edgar

Brett is a Founder and the former Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

More Posts - Twitter

You can follow any responses to this entry through the RSS 2.0 You can leave a response, or trackback.

Leave a Reply