ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Firewalls & Restricting Outbound Traffic

    IT Discussion
    8
    92
    7.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • anthonyhA
      anthonyh
      last edited by anthonyh

      I'm working on setting up new firewalls for my organization. In the past, I've never restricted outbound traffic from our network, just what can come in. I'm thinking it may be time to stop taking the "easy way" and start restricting outbound traffic.

      For those of you who do this, what ports do you allow outbound? Obviously 80/443, but what else? Where would you recommend starting? My theory is that I'd come up with a baseline of ports that all end-points would need and then go from there as needed (adding to the "global ports" and/or adding specific exceptions if the need is not common).

      Thoughts?

      EddieJenningsE scottalanmillerS 2 Replies Last reply Reply Quote 0
      • RomoR
        Romo
        last edited by Romo

        I have the following as base:

        • 80/443 everyone
        • 53 TCP/UDP only for dns servers on the network
        • 123 UDP for for ad servers
        1 Reply Last reply Reply Quote 1
        • EddieJenningsE
          EddieJennings @anthonyh
          last edited by

          @anthonyh How about SMTP for mail traffic?

          anthonyhA scottalanmillerS 2 Replies Last reply Reply Quote 0
          • anthonyhA
            anthonyh @EddieJennings
            last edited by anthonyh

            @EddieJennings Yeah. I'm thinking the common ports for mail will be included in our "base set" of what's allowed out. SMTP(S), IMAP(S), POP3(S)...whatever is required for clients to send/receive messages. Our mail server is in the DMZ and I've already got that squared away between the various zones, so this would simply be for non-organization email access.

            scottalanmillerS 1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @anthonyh
              last edited by

              @anthonyh said in Firewalls & Restricting Outbound Traffic:

              Or..should I trust the UTM features of the firewall(s) and not worry about it?

              Or neither, Just turn them off 🙂

              anthonyhA 1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @anthonyh
                last edited by

                @anthonyh said in Firewalls & Restricting Outbound Traffic:

                @EddieJennings Yeah. I'm thinking the common ports for mail will be included in our "base set" of what's allowed out. SMTP(S), IMAP(S), POP3(S)...whatever is required for clients to send/receive messages. Our mail server is in the DMZ and I've already got that squared away between the various zones, so this would simply be for non-organization email access.

                Normally you specifically block those, not allow them. Why do you need outbound email protocol(s) or ports from your clients?

                EddieJenningsE anthonyhA 2 Replies Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @EddieJennings
                  last edited by

                  @EddieJennings said in Firewalls & Restricting Outbound Traffic:

                  @anthonyh How about SMTP for mail traffic?

                  That's the #1 port to block outbound.

                  1 Reply Last reply Reply Quote 2
                  • EddieJenningsE
                    EddieJennings @scottalanmiller
                    last edited by

                    @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                    @anthonyh said in Firewalls & Restricting Outbound Traffic:

                    @EddieJennings Yeah. I'm thinking the common ports for mail will be included in our "base set" of what's allowed out. SMTP(S), IMAP(S), POP3(S)...whatever is required for clients to send/receive messages. Our mail server is in the DMZ and I've already got that squared away between the various zones, so this would simply be for non-organization email access.

                    Normally you specifically block those, not allow them. Why do you need outbound email protocol(s) or ports from your clients?

                    Perhaps I'm just having a brain fart. Let's say you send an E-mail from your mail client. Mail client connects to a mail server (for this case, assume it's not Exchange). Let's say this server is off site. Does this client not use SMTP to talk to this server, which would mean, your firewall would need to allow outbound SMTP traffic?

                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @EddieJennings
                      last edited by

                      @EddieJennings said in Firewalls & Restricting Outbound Traffic:

                      @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                      @anthonyh said in Firewalls & Restricting Outbound Traffic:

                      @EddieJennings Yeah. I'm thinking the common ports for mail will be included in our "base set" of what's allowed out. SMTP(S), IMAP(S), POP3(S)...whatever is required for clients to send/receive messages. Our mail server is in the DMZ and I've already got that squared away between the various zones, so this would simply be for non-organization email access.

                      Normally you specifically block those, not allow them. Why do you need outbound email protocol(s) or ports from your clients?

                      Perhaps I'm just having a brain fart. Let's say you send an E-mail from your mail client. Mail client connects to a mail server (for this case, assume it's not Exchange). Let's say this server is off site. Does this client not use SMTP to talk to this server, which would mean, your firewall would need to allow outbound SMTP traffic?

                      Yes, that would use SMTP in many cases. That's if you are using a general case client (Thunderbird, Geary, etc.) and if you are using an email host that uses the normal ports for internal traffic. Major mail systems typically use HTTPS, ActiveSync, a web page or custom ports for that. There are exceptions, but of business class systems, it's pretty much unheard of to use port 25 internally.

                      anthonyhA EddieJenningsE 2 Replies Last reply Reply Quote 1
                      • anthonyhA
                        anthonyh @scottalanmiller
                        last edited by

                        @scottalanmiller It's mostly a convenience thing for employees who BYOD and have personal email accounts configured on their devices. However, in most cases these devices will be connected to our guest wireless and completely siloed from our internal network. So it may not be needed. I'm still in the brainstorming phase here which is why I posted. 😄

                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                        • anthonyhA
                          anthonyh @scottalanmiller
                          last edited by

                          @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                          @EddieJennings said in Firewalls & Restricting Outbound Traffic:

                          @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                          @anthonyh said in Firewalls & Restricting Outbound Traffic:

                          @EddieJennings Yeah. I'm thinking the common ports for mail will be included in our "base set" of what's allowed out. SMTP(S), IMAP(S), POP3(S)...whatever is required for clients to send/receive messages. Our mail server is in the DMZ and I've already got that squared away between the various zones, so this would simply be for non-organization email access.

                          Normally you specifically block those, not allow them. Why do you need outbound email protocol(s) or ports from your clients?

                          Perhaps I'm just having a brain fart. Let's say you send an E-mail from your mail client. Mail client connects to a mail server (for this case, assume it's not Exchange). Let's say this server is off site. Does this client not use SMTP to talk to this server, which would mean, your firewall would need to allow outbound SMTP traffic?

                          Yes, that would use SMTP in many cases. That's if you are using a general case client (Thunderbird, Geary, etc.) and if you are using an email host that uses the normal ports for internal traffic. Major mail systems typically use HTTPS, ActiveSync, a web page or custom ports for that. There are exceptions, but of business class systems, it's pretty much unheard of to use port 25 internally.

                          If anything the goal would be to only allow port 587 as this is the SMTP submission port. Port 25 should be server to server only and not needed. Possibly allow 465 for backwards compatibility, but not sure.

                          1 Reply Last reply Reply Quote 0
                          • anthonyhA
                            anthonyh @scottalanmiller
                            last edited by

                            @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                            @anthonyh said in Firewalls & Restricting Outbound Traffic:

                            Or..should I trust the UTM features of the firewall(s) and not worry about it?

                            Or neither, Just turn them off 🙂

                            But I thought "NGFW's" were the thing now? I upgrade and then disable all the fancy UTM features? I'm hoping they do more good than harm. lol

                            dafyreD DashrenderD scottalanmillerS 3 Replies Last reply Reply Quote 0
                            • dafyreD
                              dafyre @anthonyh
                              last edited by

                              @anthonyh said in Firewalls & Restricting Outbound Traffic:

                              @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                              @anthonyh said in Firewalls & Restricting Outbound Traffic:

                              Or..should I trust the UTM features of the firewall(s) and not worry about it?

                              Or neither, Just turn them off 🙂

                              But I thought "NGFW's" were the thing now? I upgrade and then disable all the fancy UTM features? I'm hoping they do more good than harm. lol

                              If things slow to a crawl, disable the IDS / IPS, and the Antivirus checks (that's what I had to do).

                              1 Reply Last reply Reply Quote 2
                              • EddieJenningsE
                                EddieJennings @scottalanmiller
                                last edited by

                                @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                                @EddieJennings said in Firewalls & Restricting Outbound Traffic:

                                @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                                @anthonyh said in Firewalls & Restricting Outbound Traffic:

                                @EddieJennings Yeah. I'm thinking the common ports for mail will be included in our "base set" of what's allowed out. SMTP(S), IMAP(S), POP3(S)...whatever is required for clients to send/receive messages. Our mail server is in the DMZ and I've already got that squared away between the various zones, so this would simply be for non-organization email access.

                                Normally you specifically block those, not allow them. Why do you need outbound email protocol(s) or ports from your clients?

                                Perhaps I'm just having a brain fart. Let's say you send an E-mail from your mail client. Mail client connects to a mail server (for this case, assume it's not Exchange). Let's say this server is off site. Does this client not use SMTP to talk to this server, which would mean, your firewall would need to allow outbound SMTP traffic?

                                Yes, that would use SMTP in many cases. That's if you are using a general case client (Thunderbird, Geary, etc.) and if you are using an email host that uses the normal ports for internal traffic. Major mail systems typically use HTTPS, ActiveSync, a web page or custom ports for that. There are exceptions, but of business class systems, it's pretty much unheard of to use port 25 internally.

                                Yeah, I was assuming the client used 25/587 to connect rather than ActiveSync, etc. I just wanted to make sure I didn't have a flawed understanding of basic networking :P. End result is allow outbound traffic for whatever port your mail client uses.

                                scottalanmillerS 1 Reply Last reply Reply Quote 0
                                • DashrenderD
                                  Dashrender @anthonyh
                                  last edited by

                                  @anthonyh said in Firewalls & Restricting Outbound Traffic:

                                  @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                                  @anthonyh said in Firewalls & Restricting Outbound Traffic:

                                  Or..should I trust the UTM features of the firewall(s) and not worry about it?

                                  Or neither, Just turn them off 🙂

                                  But I thought "NGFW's" were the thing now? I upgrade and then disable all the fancy UTM features? I'm hoping they do more good than harm. lol

                                  This is why the recommendation around ML is to NOT buy a UTM. But a firewall that does firewall stuff, and buy a filter that does filtering stuff, if you really need it.

                                  ObsolesceO scottalanmillerS 2 Replies Last reply Reply Quote 3
                                  • ObsolesceO
                                    Obsolesce
                                    last edited by

                                    @EddieJennings said in Firewalls & Restricting Outbound Traffic:

                                    @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                                    @anthonyh said in Firewalls & Restricting Outbound Traffic:

                                    @EddieJennings Yeah. I'm thinking the common ports for mail will be included in our "base set" of what's allowed out. SMTP(S), IMAP(S), POP3(S)...whatever is required for clients to send/receive messages. Our mail server is in the DMZ and I've already got that squared away between the various zones, so this would simply be for non-organization email access.

                                    Normally you specifically block those, not allow them. Why do you need outbound email protocol(s) or ports from your clients?

                                    Perhaps I'm just having a brain fart. Let's say you send an E-mail from your mail client. Mail client connects to a mail server (for this case, assume it's not Exchange). Let's say this server is off site. Does this client not use SMTP to talk to this server, which would mean, your firewall would need to allow outbound SMTP traffic?

                                    I use an SMTP server in-house, but that authenticates to O365 using SSL/TLS. So, not port 25.

                                    Other than that, all email clients (Outlook and a few TB) connect directly to O365, also not port 25.

                                    EddieJenningsE 1 Reply Last reply Reply Quote 0
                                    • ObsolesceO
                                      Obsolesce @Dashrender
                                      last edited by

                                      @Dashrender said in Firewalls & Restricting Outbound Traffic:

                                      @anthonyh said in Firewalls & Restricting Outbound Traffic:

                                      @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                                      @anthonyh said in Firewalls & Restricting Outbound Traffic:

                                      Or..should I trust the UTM features of the firewall(s) and not worry about it?

                                      Or neither, Just turn them off 🙂

                                      But I thought "NGFW's" were the thing now? I upgrade and then disable all the fancy UTM features? I'm hoping they do more good than harm. lol

                                      This is why the recommendation around ML is to NOT buy a UTM. But a firewall that does firewall stuff, and buy a filter that does filtering stuff, if you really need it.

                                      I have redundant Squid proxy servers set up for outgoing client connections where needed.

                                      1 Reply Last reply Reply Quote 0
                                      • EddieJenningsE
                                        EddieJennings @Obsolesce
                                        last edited by

                                        @Tim_G Yeah, I don't have to deal with port 25 / 587 any more, as we're using Exchange Online.

                                        1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @anthonyh
                                          last edited by

                                          @anthonyh said in Firewalls & Restricting Outbound Traffic:

                                          @scottalanmiller It's mostly a convenience thing for employees who BYOD and have personal email accounts configured on their devices. However, in most cases these devices will be connected to our guest wireless and completely siloed from our internal network. So it may not be needed. I'm still in the brainstorming phase here which is why I posted. 😄

                                          The reason it's bad is that if you get infected, that's a port that malware wants to use. There is a reason that it is the top port to block. And what weird email are people using for personal that uses that?

                                          1 Reply Last reply Reply Quote 1
                                          • scottalanmillerS
                                            scottalanmiller @anthonyh
                                            last edited by

                                            @anthonyh said in Firewalls & Restricting Outbound Traffic:

                                            @scottalanmiller said in Firewalls & Restricting Outbound Traffic:

                                            @anthonyh said in Firewalls & Restricting Outbound Traffic:

                                            Or..should I trust the UTM features of the firewall(s) and not worry about it?

                                            Or neither, Just turn them off 🙂

                                            But I thought "NGFW's" were the thing now? I upgrade and then disable all the fancy UTM features? I'm hoping they do more good than harm. lol

                                            Jared and I have been saying all along... it's mostly a gimmick. Yeah it's "the thing now", but that doesn't imply that it's good (or an upgrade.) That's why I recommend Ubiquiti, it doesn't have all that garbage on it that you generally want disabled.

                                            1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 1 / 5
                                            • First post
                                              Last post