|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical how about the basics? [was: Re: Blocking port 53]
John Levine wrote: Inbound:I thought everyone ran an ssh server on port 443 by now. It's the easiest way to get through these overbearing firewalls. -------- Agreed. As we all know, applications running on web servers are the easiest way to get into an organization. Run as many routers and firewalls as you like, people will just cut through them. Some easy questions are; - How easy is it to break in, applicatively? [secure code & architecture, pen-test, etc. and not just when the site goes live] - What do you do to protect the application? [application filtering on some level - not many good solutions, sniffer/resets, inline/drop, reverse proxies, etc.] - Once through the application, what do you do to protect the server? [hardening, ports, services, FW] - DB security? What's that? - Once on the server, what do you do to make sure the machine cannot get to the rest of your network? Is your solution local or network based? [PFW? VLAN?] That's an ancient beaten to death issue that people just piss all over. Web applications today are simply the door into your organization and your network. This is all costy, but you could do some of these things without any additional costs above an hour or two of your time. I state the obvious again: protect your web servers! Outbound: --------- Try and make sure only HTTP/SSL communication goes through ports 80/443, respectively. Most worth-while corporate firewalls today support this type of application filtering. It won't help you with spyware like (imo) Kazaa (or legit software) that goes over HTTP, but you get my point. Aside to a nice way to circumvent firewalls to go and IRC or use private mail servers, we also lately see many botnet C&C's using these ports. It may only be half relevant to nanog, and for that I apologize, but I take the chance to remind people of how important this all is on *ANY* opportunity. Gadi.
|