Just food for thought.
I recently caught an open back door at a customers site by auditing
outbound traffic for the internal source address. Turns out someone was
dialing out to the internet from their PC while still connected to the
corporate backbone ( It seems this user felt they should not have to login
to the firewall before using the internet ). The dial out connection allowed
someone from the outside get in to the enterprise
( IP routing is a wonderful thing ). The outbound audit triggered when this
unwanted system then tried to leave the site though the firewall, thus
notifying security department of the back doors existence. Talk about a
major violation of site security policy.
If I am not mistaken there have been several cases where firewalls were
toppled from the inside by using this same occurrence.
Network Systems Canada
P.S. You can never hope to find anything unless your looking!!
Audit, Audit, Audit.!!
On Dec 2, 5:12pm, Bill Heiser wrote:
> Subject: restricting OUTBOUND access
> An associate of mine is trying to convince me that it's safe
> to restrict only inbound traffic thru a firewall, but to
> allow completely unrestricted traffic outbound. I'm looking
> for concrete examples of why this is a Bad Thing. I guess
> I'm thinking in terms of inside users connecting to evil
> services on the outside, with the established connections
> being used to do Bad Things to inside systems. However
> I don't have any concrete examples. Also, since
> presumably once someone is "inside" they can do anything
> they want anyway (put stuff on a floppy, fax, etc), that
> makes a case for his argument that allowing outbound
> unrestricted access isn't so bad. But I'm not convinced.
> Any feedback on what kinds of bad things can happen (by users
> on the OUTSIDE) with this kind of firewall setup would be
> Thanks in advance,
> Bill Heiser heiser @
>-- End of excerpt from Bill Heiser