mersenneforum.org  

Go Back   mersenneforum.org > Great Internet Mersenne Prime Search > Software

Reply
 
Thread Tools
Old 2019-12-05, 18:25   #1
chalsall
If I May
 
chalsall's Avatar
 
"Chris Halsall"
Sep 2002
Barbados

1106410 Posts
Default Firewalling best practices...

I didn't know where this should go. If there's a better place, could a Supermod please move it there.

I have encountered a weird issue. A (somewhat large) client of mine seems to configure their firewalls such that "high" ports (I haven't determined the actual range, but let's say above 1023) are blocked for outgoing traffic. Not new incoming, but new outgoing.

I can think of absolutely no security advantage in doing this. And, I always use non-standard "high" ports for services like SSH, so I can't access my systems while within their networks. (Yes, I know doing this doesn't give any security advantage, but it greatly lessens the "noise" in the logs from script kiddies.)

Before I start the (long) process of trying to have their (human) policies changed, can anyone think of a reason or situation this would make sense?
chalsall is offline   Reply With Quote
Old 2019-12-05, 18:52   #2
retina
Undefined
 
retina's Avatar
 
"The unspeakable one"
Jun 2006
My evil lair

6,679 Posts
Default

Quote:
Originally Posted by chalsall View Post
I didn't know where this should go. If there's a better place, could a Supermod please move it there.

I have encountered a weird issue. A (somewhat large) client of mine seems to configure their firewalls such that "high" ports (I haven't determined the actual range, but let's say above 1023) are blocked for outgoing traffic. Not new incoming, but new outgoing.

I can think of absolutely no security advantage in doing this. And, I always use non-standard "high" ports for services like SSH, so I can't access my systems while within their networks. (Yes, I know doing this doesn't give any security advantage, but it greatly lessens the "noise" in the logs from script kiddies.)

Before I start the (long) process of trying to have their (human) policies changed, can anyone think of a reason or situation this would make sense?
I assume you mean high port numbers for destination traffic, not for source traffic?

I guess the perceived advantage is to reduce the chance of employees using bittorrent and other P2P services that like to use high port numbers by default.
retina is online now   Reply With Quote
Old 2019-12-05, 19:09   #3
PhilF
 
PhilF's Avatar
 
"6800 descendent"
Feb 2005
Colorado

25·23 Posts
Default

That's probably a good place to start: Find out if the policy is meant to help secure the network, or instead clamp down on what the network users can do.
PhilF is offline   Reply With Quote
Old 2019-12-05, 19:34   #4
chalsall
If I May
 
chalsall's Avatar
 
"Chris Halsall"
Sep 2002
Barbados

23·3·461 Posts
Default

Quote:
Originally Posted by retina View Post
I assume you mean high port numbers for destination traffic, not for source traffic?
Yes.

Quote:
Originally Posted by retina View Post
I guess the perceived advantage is to reduce the chance of employees using bittorrent and other P2P services that like to use high port numbers by default.
Ah... Yes, that makes sense.

I would have managed that kind of thing by way of protocol filtering and/or traffic metering, but this is probably easier for them and impacts few users.

Unfortunately, this /is/ impacting my "handler" and his team. But they're non-nominal users. We'll have to ask for exeption rules to be added.

Thanks for the rational explanation. For the life of me, I didn't see it.
chalsall is offline   Reply With Quote
Old 2019-12-06, 02:05   #5
xilman
Bamboozled!
 
xilman's Avatar
 
"๐’‰บ๐’ŒŒ๐’‡ท๐’†ท๐’€ญ"
May 2003
Down not across

265778 Posts
Default

Quote:
Originally Posted by chalsall View Post
Yes.



Ah... Yes, that makes sense.

I would have managed that kind of thing by way of protocol filtering and/or traffic metering, but this is probably easier for them and impacts few users.

Unfortunately, this /is/ impacting my "handler" and his team. But they're non-nominal users. We'll have to ask for exeption rules to be added.

Thanks for the rational explanation. For the life of me, I didn't see it.
Rule of thumb for all security measures: first evaluate your (or your client's in this case) threat model. From your description it appears that they are concerned about internal threats. From that, subsequent explanations follow naturally.
xilman is offline   Reply With Quote
Old 2019-12-06, 02:32   #6
kriesel
 
kriesel's Avatar
 
"TF79LL86GIMPS96gpu17"
Mar 2017
US midwest

17×433 Posts
Default

Quote:
Originally Posted by retina View Post
bittorrent and other P2P services that like to use high port numbers by default.
Trojans and other malware love those high port numbers too.
kriesel is online now   Reply With Quote
Old 2019-12-09, 06:09   #7
Madpoo
Serpentine Vermin Jar
 
Madpoo's Avatar
 
Jul 2014

338510 Posts
Default

Quote:
Originally Posted by kriesel View Post
Trojans and other malware love those high port numbers too.
That's what I was going to say. There are quite a few critters out there that talk to some command/control servers over non-standard ports > 1024. Blocking those outbound means that at least if a machine is infected, it might not be able to hit some C&C server.

Although I feel like most C&C servers are running on standard things (80, 443, etc), especially the IRC port. And it's been so long since I've used IRC, I've forgotten what that port # is.

I could be wrong... maybe more bad stuff is happening now over the high ports than I'm aware of... One thing I'm fairly confident of is that blocking high ports won't really help much in the end, and usually ends up blocking ports that people use for legit reasons.

On the other hand, if the reason is to keep people from deliberately doing things you don't want them to do and make sure they're only using approved things, then that'll sure help. Maybe they have a stateful inspection firewall that's inspecting everything over standard ports, and then they block everything else.
Madpoo is offline   Reply With Quote
Old 2019-12-09, 07:52   #8
kriesel
 
kriesel's Avatar
 
"TF79LL86GIMPS96gpu17"
Mar 2017
US midwest

1CC116 Posts
Default

Quote:
Originally Posted by Madpoo View Post
I could be wrong... maybe more bad stuff is happening now over the high ports than I'm aware of... One thing I'm fairly confident of is that blocking high ports won't really help much in the end, and usually ends up blocking ports that people use for legit reasons.

On the other hand, if the reason is to keep people from deliberately doing things you don't want them to do and make sure they're only using approved things, then that'll sure help. Maybe they have a stateful inspection firewall that's inspecting everything over standard ports, and then they block everything else.
Default deny. Defense in depth. Secure the end user devices. Secure the perimeter. Log and analyze. Detect exceptions and consider what they mean about what has happened on your network. I think default deny rather than default allow is more appropriate for use of an intrusion detection system. It's been bad out there for decades, but if you don't look, you don't know. I knew a guy who ran a linux based departmental network and someone got in, and had enough time to compromise multiple systems. First time around fixing it, was a continual whackamole game, which they conceded to the intruder. Second pass, they isolated their departmental network from the rest of the world for as long as it took to reinstall everything from zero on every system to regain control, while with a single system connected to the world their staff took turns using that for email etc, like people queuing up at the only water cooler to each drink in their turn. Pretty ugly, best not repeated.
https://eugene.kaspersky.com/2012/10...bout-deny-all/
kriesel is online now   Reply With Quote
Old 2019-12-11, 00:07   #9
chalsall
If I May
 
chalsall's Avatar
 
"Chris Halsall"
Sep 2002
Barbados

23×3×461 Posts
Default

Hey guys. Thanks for the follow-up on this. And for retina's initial insight which made it all clear to me.

To follow-up on this... It seems this is my client's default position, or perhaps it is their various other consultants'.

Over the weekend we bypassed a firewall on a "public-facing" server, in order to make it functional. I have absolutely no idea why the firewall was deployed; it provided no advantage (the built-in firewall in CentOS is more than capable of doing the job, and it's useful to log the attack attempts).

It was doing NAT, and blocking all out-going connections to "high ports", in addition to all outgoing ICMP traffic. To say again, outgoing. On an "edge" server.

It's a good thing I meditate; otherwise, I'd scream (more than I nominally do)...

P.S. Always happy to be corrected in my thinking.
chalsall is offline   Reply With Quote
Old 2019-12-11, 22:46   #10
chalsall
If I May
 
chalsall's Avatar
 
"Chris Halsall"
Sep 2002
Barbados

23·3·461 Posts
Default

Quote:
Originally Posted by chalsall View Post
I have absolutely no idea why the firewall was deployed; it provided no advantage...
I just found out the reason the firewall was deployed.

Not only did it cost several thousand dollars in "CapEx", but my client was being billed a couple of thousand dollars per year for "software updates".

Sigh...
chalsall is offline   Reply With Quote
Reply

Thread Tools


Similar Threads
Thread Thread Starter Forum Replies Last Post
Torture test best practices Darin Information & Answers 7 2012-08-02 11:02
Best practices in addition chains SPWorley Programming 10 2009-07-28 13:50

All times are UTC. The time now is 15:25.


Sun Jan 29 15:25:41 UTC 2023 up 164 days, 12:54, 0 users, load averages: 0.85, 0.70, 0.76

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2023, Jelsoft Enterprises Ltd.

This forum has received and complied with 0 (zero) government requests for information.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.
A copy of the license is included in the FAQ.

โ‰  ยฑ โˆ“ รท ร— ยท โˆ’ โˆš โ€ฐ โŠ— โŠ• โŠ– โŠ˜ โŠ™ โ‰ค โ‰ฅ โ‰ฆ โ‰ง โ‰จ โ‰ฉ โ‰บ โ‰ป โ‰ผ โ‰ฝ โŠ โŠ โŠ‘ โŠ’ ยฒ ยณ ยฐ
โˆ  โˆŸ ยฐ โ‰… ~ โ€– โŸ‚ โซ›
โ‰ก โ‰œ โ‰ˆ โˆ โˆž โ‰ช โ‰ซ โŒŠโŒ‹ โŒˆโŒ‰ โˆ˜ โˆ โˆ โˆ‘ โˆง โˆจ โˆฉ โˆช โจ€ โŠ• โŠ— ๐–• ๐–– ๐–— โŠฒ โŠณ
โˆ… โˆ– โˆ โ†ฆ โ†ฃ โˆฉ โˆช โŠ† โŠ‚ โŠ„ โŠŠ โŠ‡ โŠƒ โŠ… โŠ‹ โŠ– โˆˆ โˆ‰ โˆ‹ โˆŒ โ„• โ„ค โ„š โ„ โ„‚ โ„ต โ„ถ โ„ท โ„ธ ๐“Ÿ
ยฌ โˆจ โˆง โŠ• โ†’ โ† โ‡’ โ‡ โ‡” โˆ€ โˆƒ โˆ„ โˆด โˆต โŠค โŠฅ โŠข โŠจ โซค โŠฃ โ€ฆ โ‹ฏ โ‹ฎ โ‹ฐ โ‹ฑ
โˆซ โˆฌ โˆญ โˆฎ โˆฏ โˆฐ โˆ‡ โˆ† ฮด โˆ‚ โ„ฑ โ„’ โ„“
๐›ข๐›ผ ๐›ฃ๐›ฝ ๐›ค๐›พ ๐›ฅ๐›ฟ ๐›ฆ๐œ€๐œ– ๐›ง๐œ ๐›จ๐œ‚ ๐›ฉ๐œƒ๐œ— ๐›ช๐œ„ ๐›ซ๐œ… ๐›ฌ๐œ† ๐›ญ๐œ‡ ๐›ฎ๐œˆ ๐›ฏ๐œ‰ ๐›ฐ๐œŠ ๐›ฑ๐œ‹ ๐›ฒ๐œŒ ๐›ด๐œŽ๐œ ๐›ต๐œ ๐›ถ๐œ ๐›ท๐œ™๐œ‘ ๐›ธ๐œ’ ๐›น๐œ“ ๐›บ๐œ”