I just thought if i was missing out some thing. i will give some more thought into it. including all of your suggestions. or may be try out things the way u suggested to figure out how it goes. wish me luck. and thanks a lot for all ur time and help. Regards, Saad On Mon, 5 Jul 2004 16:21:59 +0100, Antony Stone <antony@xxxxxxxxxxxxxxxxxxxx> wrote: > > > On Monday 05 July 2004 3:10 pm, Gavin Hamill wrote: > > > On Monday 05 July 2004 14:59, Saad Faruque wrote: > > > i did find couple of sites ex. > > > (http://www.doshelp.com/trojanports.htm) which lists some ports. but i > > > really am not sure if u simply block all these ports if it will effect > > > my clients regular internet activity. any alternative suggestions are > > > also welcome :) > > > > My suggestion would to stop fire-fighting and instead turn the problem on > > its head. > > > > Change your default policy from ACCEPT to DROP, and put in rules so that > > people are allowed to access port 80, 443, etc. and only the ports they > > actually NEED access to. > > I agree completely with this. Standard security practice is to "block > everything which is not expressly allowed", and to allow only that which is > known to be needed. > > In a later posting you say you don't know what to allow - one approach which > is very effective is to block everything, allow web, email and dns, then wait > until your users say "I can't do X", and then decide whether they should be > allowed to do X or not. > > If it isn't you who makes the decisions about what they should be allowed to > do, then ask the person whose decision it is to give you a list of all the > applications they're supposed to be able to access on the Internet. > > In another posting you also said that you are not able to ensure the security > of the machines in the internal network. A good way to deal with that is to > apply the security policy above, but then LOG all blocked packets, and > summarise them by source IP address on a daily basis. Anyone whose machine > generates enough blocked traffic that it looks like it's infected with > something gets a DROP (or REJECT) rule in the firewall until they clean up > their machine. > > You don't have to say much to justify this - you are insisting that they clean > their machines so that they don't spread things to other machines on the > network. You can stop them spreading it to the Internet, but you can't stop > them spreading to the local LAN. > > Regards, > > Antony. > > -- > Behind the counter a boy with a shaven head stared vacantly into space, > a dozen spikes of microsoft protruding from the socket behind his ear. > > - William Gibson, Neuromancer (1984) > > Please reply to the list; > please don't CC me. > >
