Firewalls & Restricting Outbound Traffic

anthonyh

I'm working on setting up new firewalls for my organization. In the past, I've never restricted outbound traffic from our network, just what can come in. I'm thinking it may be time to stop taking the "easy way" and start restricting outbound traffic.

For those of you who do this, what ports do you allow outbound? Obviously 80/443, but what else? Where would you recommend starting? My theory is that I'd come up with a baseline of ports that all end-points would need and then go from there as needed (adding to the "global ports" and/or adding specific exceptions if the need is not common).

Thoughts?

Romo

I have the following as base:

• 80/443 everyone
• 53 TCP/UDP only for dns servers on the network
• 123 UDP for for ad servers

EddieJennings

@anthonyh How about SMTP for mail traffic?

anthonyh

@EddieJennings Yeah. I'm thinking the common ports for mail will be included in our "base set" of what's allowed out. SMTP(S), IMAP(S), POP3(S)...whatever is required for clients to send/receive messages. Our mail server is in the DMZ and I've already got that squared away between the various zones, so this would simply be for non-organization email access.

scottalanmiller

@anthonyh said in Firewalls & Restricting Outbound Traffic:

Or..should I trust the UTM features of the firewall(s) and not worry about it?

Or neither, Just turn them off

scottalanmiller

@anthonyh said in Firewalls & Restricting Outbound Traffic:

@EddieJennings Yeah. I'm thinking the common ports for mail will be included in our "base set" of what's allowed out. SMTP(S), IMAP(S), POP3(S)...whatever is required for clients to send/receive messages. Our mail server is in the DMZ and I've already got that squared away between the various zones, so this would simply be for non-organization email access.

Normally you specifically block those, not allow them. Why do you need outbound email protocol(s) or ports from your clients?

scottalanmiller

@EddieJennings said in Firewalls & Restricting Outbound Traffic:

@anthonyh How about SMTP for mail traffic?

That's the #1 port to block outbound.

EddieJennings

@scottalanmiller said in Firewalls & Restricting Outbound Traffic:

@anthonyh said in Firewalls & Restricting Outbound Traffic:

@EddieJennings Yeah. I'm thinking the common ports for mail will be included in our "base set" of what's allowed out. SMTP(S), IMAP(S), POP3(S)...whatever is required for clients to send/receive messages. Our mail server is in the DMZ and I've already got that squared away between the various zones, so this would simply be for non-organization email access.

Normally you specifically block those, not allow them. Why do you need outbound email protocol(s) or ports from your clients?

Perhaps I'm just having a brain fart. Let's say you send an E-mail from your mail client. Mail client connects to a mail server (for this case, assume it's not Exchange). Let's say this server is off site. Does this client not use SMTP to talk to this server, which would mean, your firewall would need to allow outbound SMTP traffic?

scottalanmiller

@EddieJennings said in Firewalls & Restricting Outbound Traffic:

@scottalanmiller said in Firewalls & Restricting Outbound Traffic:

@anthonyh said in Firewalls & Restricting Outbound Traffic:

@EddieJennings Yeah. I'm thinking the common ports for mail will be included in our "base set" of what's allowed out. SMTP(S), IMAP(S), POP3(S)...whatever is required for clients to send/receive messages. Our mail server is in the DMZ and I've already got that squared away between the various zones, so this would simply be for non-organization email access.

Normally you specifically block those, not allow them. Why do you need outbound email protocol(s) or ports from your clients?

Perhaps I'm just having a brain fart. Let's say you send an E-mail from your mail client. Mail client connects to a mail server (for this case, assume it's not Exchange). Let's say this server is off site. Does this client not use SMTP to talk to this server, which would mean, your firewall would need to allow outbound SMTP traffic?

Yes, that would use SMTP in many cases. That's if you are using a general case client (Thunderbird, Geary, etc.) and if you are using an email host that uses the normal ports for internal traffic. Major mail systems typically use HTTPS, ActiveSync, a web page or custom ports for that. There are exceptions, but of business class systems, it's pretty much unheard of to use port 25 internally.

anthonyh

@scottalanmiller It's mostly a convenience thing for employees who BYOD and have personal email accounts configured on their devices. However, in most cases these devices will be connected to our guest wireless and completely siloed from our internal network. So it may not be needed. I'm still in the brainstorming phase here which is why I posted.

anthonyh

@scottalanmiller said in Firewalls & Restricting Outbound Traffic:

@EddieJennings said in Firewalls & Restricting Outbound Traffic:

@scottalanmiller said in Firewalls & Restricting Outbound Traffic:

@anthonyh said in Firewalls & Restricting Outbound Traffic:

@EddieJennings Yeah. I'm thinking the common ports for mail will be included in our "base set" of what's allowed out. SMTP(S), IMAP(S), POP3(S)...whatever is required for clients to send/receive messages. Our mail server is in the DMZ and I've already got that squared away between the various zones, so this would simply be for non-organization email access.

Normally you specifically block those, not allow them. Why do you need outbound email protocol(s) or ports from your clients?

Perhaps I'm just having a brain fart. Let's say you send an E-mail from your mail client. Mail client connects to a mail server (for this case, assume it's not Exchange). Let's say this server is off site. Does this client not use SMTP to talk to this server, which would mean, your firewall would need to allow outbound SMTP traffic?

Yes, that would use SMTP in many cases. That's if you are using a general case client (Thunderbird, Geary, etc.) and if you are using an email host that uses the normal ports for internal traffic. Major mail systems typically use HTTPS, ActiveSync, a web page or custom ports for that. There are exceptions, but of business class systems, it's pretty much unheard of to use port 25 internally.

If anything the goal would be to only allow port 587 as this is the SMTP submission port. Port 25 should be server to server only and not needed. Possibly allow 465 for backwards compatibility, but not sure.

anthonyh

@scottalanmiller said in Firewalls & Restricting Outbound Traffic:

@anthonyh said in Firewalls & Restricting Outbound Traffic:

Or..should I trust the UTM features of the firewall(s) and not worry about it?

Or neither, Just turn them off

But I thought "NGFW's" were the thing now? I upgrade and then disable all the fancy UTM features? I'm hoping they do more good than harm. lol

dafyre

@anthonyh said in Firewalls & Restricting Outbound Traffic:

@scottalanmiller said in Firewalls & Restricting Outbound Traffic:

@anthonyh said in Firewalls & Restricting Outbound Traffic:

Or..should I trust the UTM features of the firewall(s) and not worry about it?

Or neither, Just turn them off

But I thought "NGFW's" were the thing now? I upgrade and then disable all the fancy UTM features? I'm hoping they do more good than harm. lol

If things slow to a crawl, disable the IDS / IPS, and the Antivirus checks (that's what I had to do).

EddieJennings

@scottalanmiller said in Firewalls & Restricting Outbound Traffic:

@EddieJennings said in Firewalls & Restricting Outbound Traffic:

@scottalanmiller said in Firewalls & Restricting Outbound Traffic:

@anthonyh said in Firewalls & Restricting Outbound Traffic:

@EddieJennings Yeah. I'm thinking the common ports for mail will be included in our "base set" of what's allowed out. SMTP(S), IMAP(S), POP3(S)...whatever is required for clients to send/receive messages. Our mail server is in the DMZ and I've already got that squared away between the various zones, so this would simply be for non-organization email access.

Normally you specifically block those, not allow them. Why do you need outbound email protocol(s) or ports from your clients?

Perhaps I'm just having a brain fart. Let's say you send an E-mail from your mail client. Mail client connects to a mail server (for this case, assume it's not Exchange). Let's say this server is off site. Does this client not use SMTP to talk to this server, which would mean, your firewall would need to allow outbound SMTP traffic?

Yes, that would use SMTP in many cases. That's if you are using a general case client (Thunderbird, Geary, etc.) and if you are using an email host that uses the normal ports for internal traffic. Major mail systems typically use HTTPS, ActiveSync, a web page or custom ports for that. There are exceptions, but of business class systems, it's pretty much unheard of to use port 25 internally.

Yeah, I was assuming the client used 25/587 to connect rather than ActiveSync, etc. I just wanted to make sure I didn't have a flawed understanding of basic networking :P. End result is allow outbound traffic for whatever port your mail client uses.

Dashrender

@anthonyh said in Firewalls & Restricting Outbound Traffic:

@scottalanmiller said in Firewalls & Restricting Outbound Traffic:

@anthonyh said in Firewalls & Restricting Outbound Traffic:

Or..should I trust the UTM features of the firewall(s) and not worry about it?

Or neither, Just turn them off

But I thought "NGFW's" were the thing now? I upgrade and then disable all the fancy UTM features? I'm hoping they do more good than harm. lol

This is why the recommendation around ML is to NOT buy a UTM. But a firewall that does firewall stuff, and buy a filter that does filtering stuff, if you really need it.

Obsolesce

@EddieJennings said in Firewalls & Restricting Outbound Traffic:

@scottalanmiller said in Firewalls & Restricting Outbound Traffic:

@anthonyh said in Firewalls & Restricting Outbound Traffic:

@EddieJennings Yeah. I'm thinking the common ports for mail will be included in our "base set" of what's allowed out. SMTP(S), IMAP(S), POP3(S)...whatever is required for clients to send/receive messages. Our mail server is in the DMZ and I've already got that squared away between the various zones, so this would simply be for non-organization email access.

Normally you specifically block those, not allow them. Why do you need outbound email protocol(s) or ports from your clients?

Perhaps I'm just having a brain fart. Let's say you send an E-mail from your mail client. Mail client connects to a mail server (for this case, assume it's not Exchange). Let's say this server is off site. Does this client not use SMTP to talk to this server, which would mean, your firewall would need to allow outbound SMTP traffic?

I use an SMTP server in-house, but that authenticates to O365 using SSL/TLS. So, not port 25.

Other than that, all email clients (Outlook and a few TB) connect directly to O365, also not port 25.

Obsolesce

@Dashrender said in Firewalls & Restricting Outbound Traffic:

@anthonyh said in Firewalls & Restricting Outbound Traffic:

@scottalanmiller said in Firewalls & Restricting Outbound Traffic:

@anthonyh said in Firewalls & Restricting Outbound Traffic:

Or..should I trust the UTM features of the firewall(s) and not worry about it?

Or neither, Just turn them off

But I thought "NGFW's" were the thing now? I upgrade and then disable all the fancy UTM features? I'm hoping they do more good than harm. lol

This is why the recommendation around ML is to NOT buy a UTM. But a firewall that does firewall stuff, and buy a filter that does filtering stuff, if you really need it.

I have redundant Squid proxy servers set up for outgoing client connections where needed.

EddieJennings

@Tim_G Yeah, I don't have to deal with port 25 / 587 any more, as we're using Exchange Online.

scottalanmiller

@anthonyh said in Firewalls & Restricting Outbound Traffic:

@scottalanmiller It's mostly a convenience thing for employees who BYOD and have personal email accounts configured on their devices. However, in most cases these devices will be connected to our guest wireless and completely siloed from our internal network. So it may not be needed. I'm still in the brainstorming phase here which is why I posted.

The reason it's bad is that if you get infected, that's a port that malware wants to use. There is a reason that it is the top port to block. And what weird email are people using for personal that uses that?

scottalanmiller

@anthonyh said in Firewalls & Restricting Outbound Traffic:

@scottalanmiller said in Firewalls & Restricting Outbound Traffic:

@anthonyh said in Firewalls & Restricting Outbound Traffic:

Or..should I trust the UTM features of the firewall(s) and not worry about it?

Or neither, Just turn them off

But I thought "NGFW's" were the thing now? I upgrade and then disable all the fancy UTM features? I'm hoping they do more good than harm. lol

Jared and I have been saying all along... it's mostly a gimmick. Yeah it's "the thing now", but that doesn't imply that it's good (or an upgrade.) That's why I recommend Ubiquiti, it doesn't have all that garbage on it that you generally want disabled.