Closing ports

Received wisdom has been that all outgoing ports, other than those
actually required for use (e.g. for DNS, the web, e-mail, newsgroups and
possibly some others) should be closed.

However, I find it difficult to believe that any serious bug wanting to
report home would try to use any port other than one of those which is
almost certain to be open, and therefore I wonder how important it now
is to close all unused outgoing ports.

I have always followed that practice (using IPCop) but I have found it
rather annoying when I want to use ftp. For example, I have found
using FillZilla that one needs to open 30 or so consecutive ports in
order to use passive ftp.

My question is not entirely academic because circumstances may force me
to use a firewall which does not have the ability to close outgoing ports.

Kind regards to all

Brian

Re: Closing ports

Post removed (X-No-Archive: yes)

Re: Closing ports

In article ,
juergen.nieveler.nospam@arcor.de (Juergen Nieveler) wrote:

> *From:* Juergen Nieveler
> *Date:* 17 Jul 2007 13:55:51 GMT
>
> doricnews@btinternet.com (Brian) wrote:
>
> > Received wisdom has been that all outgoing ports, other than those
> > actually required for use (e.g. for DNS, the web, e-mail, newsgroups
> > and possibly some others) should be closed.
>
> That's a common security measure, usually used in conjunction with a
> mandatory proxy server
>
> > However, I find it difficult to believe that any serious bug wanting
> > to report home would try to use any port other than one of those
> > which
> > is almost certain to be open, and therefore I wonder how important
> > it
> > now is to close all unused outgoing ports.
>
> True, malware writers have adapted - up to the pint where they use
> Internet Explorer itself to connect out (thus defeating some
> application monitoring systems and proxy servers)
>
> > I have always followed that practice (using IPCop) but I have found
> > it
> > rather annoying when I want to use ftp. For example, I have found
> > using FillZilla that one needs to open 30 or so consecutive ports
> > in order to use passive ftp.
>
> FTP is a nightmare from a fireall POV - it wasn't really designed
> with firewalls in mind, and passive FTP was a hasty add-on to deal
> with them.
>
> > My question is not entirely academic because circumstances may force
> > me to use a firewall which does not have the ability to close
> > outgoing
> > ports.
>
> Closing outbound ports can enhance security, but not being able to do
> so shouldn't be a showstopper. However, it means that you can't
> control who can connect outbound should you desire so...
>
> Juergen Nieveler
> --
> Give me the money that has been spent in war, and ... I will clothe
> every man, woman and child in attire of which kings and queens would
> be proud.
> Henry Richard
>


Thanks for your comments Juergen.

I had not realised that bugs were able to use Internet Explorer for
outward transmissions. Although, as you intimate this ability will
reduce the worth of programs like Zone Alarm, I suppose that programs
like ProcessGuard, which the defunct company DiamondCS use to market,
may be able to detect activity which would warn a user of something
untoward.

Brian