Firewalls & Restricting Outbound Traffic

EddieJennings

@scottalanmiller said in Firewalls & Restricting Outbound Traffic:

@EddieJennings said in Firewalls & Restricting Outbound Traffic:

@scottalanmiller said in Firewalls & Restricting Outbound Traffic:

@anthonyh said in Firewalls & Restricting Outbound Traffic:

@EddieJennings Yeah. I'm thinking the common ports for mail will be included in our "base set" of what's allowed out. SMTP(S), IMAP(S), POP3(S)...whatever is required for clients to send/receive messages. Our mail server is in the DMZ and I've already got that squared away between the various zones, so this would simply be for non-organization email access.

Normally you specifically block those, not allow them. Why do you need outbound email protocol(s) or ports from your clients?

Perhaps I'm just having a brain fart. Let's say you send an E-mail from your mail client. Mail client connects to a mail server (for this case, assume it's not Exchange). Let's say this server is off site. Does this client not use SMTP to talk to this server, which would mean, your firewall would need to allow outbound SMTP traffic?

Yes, that would use SMTP in many cases. That's if you are using a general case client (Thunderbird, Geary, etc.) and if you are using an email host that uses the normal ports for internal traffic. Major mail systems typically use HTTPS, ActiveSync, a web page or custom ports for that. There are exceptions, but of business class systems, it's pretty much unheard of to use port 25 internally.

Yeah, I was assuming the client used 25/587 to connect rather than ActiveSync, etc. I just wanted to make sure I didn't have a flawed understanding of basic networking :P. End result is allow outbound traffic for whatever port your mail client uses.

Dashrender

@anthonyh said in Firewalls & Restricting Outbound Traffic:

@scottalanmiller said in Firewalls & Restricting Outbound Traffic:

@anthonyh said in Firewalls & Restricting Outbound Traffic:

Or..should I trust the UTM features of the firewall(s) and not worry about it?

Or neither, Just turn them off

But I thought "NGFW's" were the thing now? I upgrade and then disable all the fancy UTM features? I'm hoping they do more good than harm. lol

This is why the recommendation around ML is to NOT buy a UTM. But a firewall that does firewall stuff, and buy a filter that does filtering stuff, if you really need it.

Obsolesce

@EddieJennings said in Firewalls & Restricting Outbound Traffic:

@scottalanmiller said in Firewalls & Restricting Outbound Traffic:

@anthonyh said in Firewalls & Restricting Outbound Traffic:

@EddieJennings Yeah. I'm thinking the common ports for mail will be included in our "base set" of what's allowed out. SMTP(S), IMAP(S), POP3(S)...whatever is required for clients to send/receive messages. Our mail server is in the DMZ and I've already got that squared away between the various zones, so this would simply be for non-organization email access.

Normally you specifically block those, not allow them. Why do you need outbound email protocol(s) or ports from your clients?

Perhaps I'm just having a brain fart. Let's say you send an E-mail from your mail client. Mail client connects to a mail server (for this case, assume it's not Exchange). Let's say this server is off site. Does this client not use SMTP to talk to this server, which would mean, your firewall would need to allow outbound SMTP traffic?

I use an SMTP server in-house, but that authenticates to O365 using SSL/TLS. So, not port 25.

Other than that, all email clients (Outlook and a few TB) connect directly to O365, also not port 25.

Obsolesce

@Dashrender said in Firewalls & Restricting Outbound Traffic:

@anthonyh said in Firewalls & Restricting Outbound Traffic:

@scottalanmiller said in Firewalls & Restricting Outbound Traffic:

@anthonyh said in Firewalls & Restricting Outbound Traffic:

Or..should I trust the UTM features of the firewall(s) and not worry about it?

Or neither, Just turn them off

But I thought "NGFW's" were the thing now? I upgrade and then disable all the fancy UTM features? I'm hoping they do more good than harm. lol

This is why the recommendation around ML is to NOT buy a UTM. But a firewall that does firewall stuff, and buy a filter that does filtering stuff, if you really need it.

I have redundant Squid proxy servers set up for outgoing client connections where needed.

EddieJennings

@Tim_G Yeah, I don't have to deal with port 25 / 587 any more, as we're using Exchange Online.

scottalanmiller

@anthonyh said in Firewalls & Restricting Outbound Traffic:

@scottalanmiller It's mostly a convenience thing for employees who BYOD and have personal email accounts configured on their devices. However, in most cases these devices will be connected to our guest wireless and completely siloed from our internal network. So it may not be needed. I'm still in the brainstorming phase here which is why I posted.

The reason it's bad is that if you get infected, that's a port that malware wants to use. There is a reason that it is the top port to block. And what weird email are people using for personal that uses that?

scottalanmiller

@anthonyh said in Firewalls & Restricting Outbound Traffic:

@scottalanmiller said in Firewalls & Restricting Outbound Traffic:

@anthonyh said in Firewalls & Restricting Outbound Traffic:

Or..should I trust the UTM features of the firewall(s) and not worry about it?

Or neither, Just turn them off

But I thought "NGFW's" were the thing now? I upgrade and then disable all the fancy UTM features? I'm hoping they do more good than harm. lol

Jared and I have been saying all along... it's mostly a gimmick. Yeah it's "the thing now", but that doesn't imply that it's good (or an upgrade.) That's why I recommend Ubiquiti, it doesn't have all that garbage on it that you generally want disabled.

scottalanmiller

@Dashrender said in Firewalls & Restricting Outbound Traffic:

@anthonyh said in Firewalls & Restricting Outbound Traffic:

@scottalanmiller said in Firewalls & Restricting Outbound Traffic:

@anthonyh said in Firewalls & Restricting Outbound Traffic:

Or..should I trust the UTM features of the firewall(s) and not worry about it?

Or neither, Just turn them off

But I thought "NGFW's" were the thing now? I upgrade and then disable all the fancy UTM features? I'm hoping they do more good than harm. lol

This is why the recommendation around ML is to NOT buy a UTM. But a firewall that does firewall stuff, and buy a filter that does filtering stuff, if you really need it.

Most of hte time. There ARE exceptions, of course, but not with gear like Fortinet. On the rare case that you want a UTM, you want a serious one like Palo Alto or maybe Sophos.

dafyre

@scottalanmiller said in Firewalls & Restricting Outbound Traffic:

@Dashrender said in Firewalls & Restricting Outbound Traffic:

@anthonyh said in Firewalls & Restricting Outbound Traffic:

@scottalanmiller said in Firewalls & Restricting Outbound Traffic:

@anthonyh said in Firewalls & Restricting Outbound Traffic:

Or..should I trust the UTM features of the firewall(s) and not worry about it?

Or neither, Just turn them off

But I thought "NGFW's" were the thing now? I upgrade and then disable all the fancy UTM features? I'm hoping they do more good than harm. lol

This is why the recommendation around ML is to NOT buy a UTM. But a firewall that does firewall stuff, and buy a filter that does filtering stuff, if you really need it.

Most of hte time. There ARE exceptions, of course, but not with gear like Fortinet. On the rare case that you want a UTM, you want a serious one like Palo Alto or maybe Sophos.

The networking guys here like the Palo Altos!

scottalanmiller

@EddieJennings said in Firewalls & Restricting Outbound Traffic:

@scottalanmiller said in Firewalls & Restricting Outbound Traffic:

@EddieJennings said in Firewalls & Restricting Outbound Traffic:

@scottalanmiller said in Firewalls & Restricting Outbound Traffic:

@anthonyh said in Firewalls & Restricting Outbound Traffic:

@EddieJennings Yeah. I'm thinking the common ports for mail will be included in our "base set" of what's allowed out. SMTP(S), IMAP(S), POP3(S)...whatever is required for clients to send/receive messages. Our mail server is in the DMZ and I've already got that squared away between the various zones, so this would simply be for non-organization email access.

Normally you specifically block those, not allow them. Why do you need outbound email protocol(s) or ports from your clients?

Perhaps I'm just having a brain fart. Let's say you send an E-mail from your mail client. Mail client connects to a mail server (for this case, assume it's not Exchange). Let's say this server is off site. Does this client not use SMTP to talk to this server, which would mean, your firewall would need to allow outbound SMTP traffic?

Yes, that would use SMTP in many cases. That's if you are using a general case client (Thunderbird, Geary, etc.) and if you are using an email host that uses the normal ports for internal traffic. Major mail systems typically use HTTPS, ActiveSync, a web page or custom ports for that. There are exceptions, but of business class systems, it's pretty much unheard of to use port 25 internally.

Yeah, I was assuming the client used 25/587 to connect rather than ActiveSync, etc. I just wanted to make sure I didn't have a flawed understanding of basic networking :P. End result is allow outbound traffic for whatever port your mail client uses.

There are cases for that, but they are pretty rare or are options. We use Zimbra for email and it uses those ports with third party fat clients, but it is not needed for the native client or the native fat client.

scottalanmiller

@dafyre said in Firewalls & Restricting Outbound Traffic:

@scottalanmiller said in Firewalls & Restricting Outbound Traffic:

@Dashrender said in Firewalls & Restricting Outbound Traffic:

@anthonyh said in Firewalls & Restricting Outbound Traffic:

@scottalanmiller said in Firewalls & Restricting Outbound Traffic:

@anthonyh said in Firewalls & Restricting Outbound Traffic:

Or..should I trust the UTM features of the firewall(s) and not worry about it?

Or neither, Just turn them off

But I thought "NGFW's" were the thing now? I upgrade and then disable all the fancy UTM features? I'm hoping they do more good than harm. lol

This is why the recommendation around ML is to NOT buy a UTM. But a firewall that does firewall stuff, and buy a filter that does filtering stuff, if you really need it.

Most of hte time. There ARE exceptions, of course, but not with gear like Fortinet. On the rare case that you want a UTM, you want a serious one like Palo Alto or maybe Sophos.

The networking guys here like the Palo Altos!

They are generally considered the best. It's an attempt to ride their coattails that all these crappy vendors started making their own UTMs and hope that people think that since PA had a good idea, that it's a good idea from everyone else.

scottalanmiller

UTMs are a bit like SANs. When you are a special case and need one, it's going to be hugely expensive and a big deal. For most everyone else, the stuff you get isn't appropriate. And like a SAN, the most common best use scenario for a UTM is "turn it off." Just like in most SMB use cases, the best way to use your SAN is to unplug it.

anthonyh

Well, for what it's worth, I was handed the Fortigates and told to set them up as our new firewalls. Soo, can we focus on my OP rather than a debate on UTMs or not, pretty please?

anthonyh

Well, I guess I did invite the conversation myself by asking if I should rely on UTM features instead of limiting outbound traffic. D'oh!

anthonyh

@anthonyh said in Firewalls & Restricting Outbound Traffic:

Well, I guess I did invite the conversation myself by asking if I should rely on UTM features instead of limiting outbound traffic. D'oh!

Fixed!

anthonyh

Ok, so the consensus so far for a good baseline is:

TCP 80/443 for all
TCP & UDP 53 for DNS servers
UDP 123 for NTP servers

Anything I'm missing? Any others to consider?

scottalanmiller

@anthonyh said in Firewalls & Restricting Outbound Traffic:

Well, I guess I did invite the conversation myself by asking if I should rely on UTM features instead of limiting outbound traffic. D'oh!

Just a tad.

Obsolesce

@anthonyh said in Firewalls & Restricting Outbound Traffic:

Ok, so the consensus so far for a good baseline is:

TCP 80/443 for all
TCP & UDP 53 for DNS servers
UDP 123 for NTP servers

Anything I'm missing? Any others to consider?

Any applications like TeamViewer for example?

anthonyh

@Tim_G said in Firewalls & Restricting Outbound Traffic:

@anthonyh said in Firewalls & Restricting Outbound Traffic:

Ok, so the consensus so far for a good baseline is:

TCP 80/443 for all
TCP & UDP 53 for DNS servers
UDP 123 for NTP servers

Anything I'm missing? Any others to consider?

Any applications like TeamViewer for example?

TeamViewer seems to work over 80/443.

scottalanmiller

@anthonyh said in Firewalls & Restricting Outbound Traffic:

@Tim_G said in Firewalls & Restricting Outbound Traffic:

@anthonyh said in Firewalls & Restricting Outbound Traffic:

Ok, so the consensus so far for a good baseline is:

TCP 80/443 for all
TCP & UDP 53 for DNS servers
UDP 123 for NTP servers

Anything I'm missing? Any others to consider?

Any applications like TeamViewer for example?

TeamViewer seems to work over 80/443.

Outbound? A little surprising but not totally.