On Monday 05 July 2004 3:10 pm, Gavin Hamill wrote: > On Monday 05 July 2004 14:59, Saad Faruque wrote: > > i did find couple of sites ex. > > (http://www.doshelp.com/trojanports.htm) which lists some ports. but i > > really am not sure if u simply block all these ports if it will effect > > my clients regular internet activity. any alternative suggestions are > > also welcome :) > > My suggestion would to stop fire-fighting and instead turn the problem on > its head. > > Change your default policy from ACCEPT to DROP, and put in rules so that > people are allowed to access port 80, 443, etc. and only the ports they > actually NEED access to. I agree completely with this. Standard security practice is to "block everything which is not expressly allowed", and to allow only that which is known to be needed. In a later posting you say you don't know what to allow - one approach which is very effective is to block everything, allow web, email and dns, then wait until your users say "I can't do X", and then decide whether they should be allowed to do X or not. If it isn't you who makes the decisions about what they should be allowed to do, then ask the person whose decision it is to give you a list of all the applications they're supposed to be able to access on the Internet. In another posting you also said that you are not able to ensure the security of the machines in the internal network. A good way to deal with that is to apply the security policy above, but then LOG all blocked packets, and summarise them by source IP address on a daily basis. Anyone whose machine generates enough blocked traffic that it looks like it's infected with something gets a DROP (or REJECT) rule in the firewall until they clean up their machine. You don't have to say much to justify this - you are insisting that they clean their machines so that they don't spread things to other machines on the network. You can stop them spreading it to the Internet, but you can't stop them spreading to the local LAN. Regards, Antony. -- Behind the counter a boy with a shaven head stared vacantly into space, a dozen spikes of microsoft protruding from the socket behind his ear. - William Gibson, Neuromancer (1984) Please reply to the list; please don't CC me.
