[Snort-sigs] deny default outbound (was Reverse shell)

Bennett Todd bet at ...654...
Mon Mar 25 12:14:04 EDT 2013


I've enjoyed some limited success by tying opened outbound protocols with
hardened internal clients.

Few apps seem to legitimately need to do their own DNS, a dnscache as part
of the firewall plant seems to go over well.

Not too many more need to do their own SMTP, a postfix or qmail seems to
please.

HTTP is a dumping ground for wickedness, but if you can pick a web browser
that doesn't have a lethally bad security record, and allow only it to pass
directly, and route all others through a proxy, the complaints will
highlight apps that are abusing the protocol to bypass security.

The folks I've met with legitimate need to ssh outbound seen to be more
technically savvy, and a proxy-enabled ssh client plus tight logging seems
to be an adequate compromise.

For other problems, like multimedia chatting, I offer a client installed on
a server in the DMZ, with ssh or vnc access from the inside.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130325/a31dbc9a/attachment.html>


More information about the Snort-sigs mailing list