6

If I only want to allow HTTP, POP3, IMAP4, SMTP functionality for outbound traffic (i.e. no servers hosted at site) are there any additional ports that need to be open to allow those functions to work (e.g. DNS UDP ports)?

See also: outbound ports that are always open

If some of the answers below seem weird, please see the edits of this post - I removed a lot of detail that seemed to solicit answers to different questions altogether.

Community
  • 1
dunxd
  • 9,632
  • 22
  • 81
  • 118
  • 1
    Why do you need to block outbound traffic in the first place? – joeqwerty Jan 11 '11 at 12:22
  • 2
    Bittorrent, botnets, viruses. There are many reasons why one would want to lock down a remote offices abilities. Of course there are other ways to deal with these, but limiting the ports that can be used seems like a good start. Of course, I am open to alternative suggestions for how to enforce internet usage, as long as they use the equipment we already invested in. – dunxd Jan 11 '11 at 12:23
  • As most malware infections are introduced by way of a users web browsing it seems to me that allowing outbound HTTP is leaving a gaping hole in that method of security. – joeqwerty Jan 11 '11 at 12:30
  • Well - of course you need to compromise to have a system acceptable by your business. Perfect security would not allow any internet connection at all... – dunxd Jan 11 '11 at 12:32
  • 1
    You're contradicting yourself. In your first comment you said that blocking outbound traffic is neccessary for security but in your second comment you said that a compromise is neccessary to allow usability. So which is it: block outbound traffic to protect the network or allow outbound traffic to allow usability. – joeqwerty Jan 11 '11 at 13:11
  • 2
    @joeqwerty I believe that dunxd is trying to articulate risk management & defense-in-depth. I agree with dunxd that blocking egress traffic that does not have a business use is beneficial. Since there is usually a business case for HTTP/80 traffic, and a lot of malware comes through HTTP/80, there needs to be a corresponding control in place to mitigate that risk. That does not mean that you dont use other layers of security (egress filtering for all non-business ports). – Josh Brower Jan 11 '11 at 18:34

5 Answers5

6

If you "...share the internet connection with one or more other organisations over whom we have very little control, asides from the config on the ASAs.", don't you think you should at least ask them for specific needs they may have? I'm not sure what your setup is, but I've been in a "shared" internet connection situation before, and you will want to consult with them first rather than arbitrarily blocking everything except for ports that your org needs or else you could have a lawsuit on your hands if you block a business-required service for one of the other orgs just because you didn't feel like asking them first...

EDIT due to totally revised question

  • HTTP - TCP:80
  • HTTPS- TCP:443
  • POP3 - TCP:110 (secure POP is typically TCP:995)
  • IMAP4- TCP:143 (secure IMAP is typically TCP:993)
  • SMTP - TCP:25 (secure SMTP is typically TCP:465)
  • DNS - UDP:53 (external lookups)

These services could be on other ports, but these are the standard ports. Some have mentioned other HTTP ports in the 8000 range which is possible, but public sites typically do not do this. Again, you should monitor the traffic and see if other ports are necessary before opening them up.

If you have established that these ports are indeed used by your company (you have users connecting to external mail servers over POP3, IMAP, and sending mail directly over the SMTP port) you should probably take note of which external IPs they connect to and limit the ACLs to only those IPs on the firewall. This will limit somewhat your exposure if any of your users ever gets infected with a mail worm or other similar virus.

For DNS lookups, depending on your setup, only your internal DNS servers (AD DCs if you are using AD) would be doing any lookups and your clients would use them as their DNS servers. You would typically also know which external DNS servers they are using and limit their outbound lookups to just those external DNS servers for forwarding. If your clients are doing lookups themselves, then again you would probably know which external DNS servers they are going to and limit their outbound connection to just those external servers.

In all of these ACL setups all you need is to allow the port of the service out. Any stateful firewall (I believe you had mentioned you had ASA 5505s? prior to the edit) will recognize a response from the outside and let it in as an established session (and refuse connections that have no established session).

davekats
  • 3
  • 2
August
  • 3,114
  • 16
  • 17
  • Of course we are asking. As stated in question, I am looking for a best fits standard config to roll out now, as I don't anticipate answers to the question coming all that quickly until the point when something stops working... And wondering what core services I don't want to block (e.g. DNS) that I might not already have thought of. – dunxd Jan 11 '11 at 13:36
  • 1
    In that case as long as you are CYA legally, there IS no "standard" beyond HTTP/HTTPS and DNS for basic internet connectivity. Everything else depends on specific services that you (or the other orgs) may or may not have. – August Jan 11 '11 at 13:45
  • I mean my own standard config for use across my machines - not a global standard for everyone :-) So for basic email and web access, in addition I would need to open up DNS - which of course is useful for lots of other things. – dunxd Jan 11 '11 at 17:21
  • for you to develop your standard (i thought we were talking about a firewall standard, not a machine standard), you will need to evaluate your own traffic. Sure there are common ports and services, but only YOU would know if YOUR business needs them or not. To blindly recommend you to open common ports without knowing which are actually needed doesn't make sense in a security or operational sense. – August Jan 11 '11 at 18:12
  • +1 Thanks for updating your answer in light of the revised question. – dunxd Jan 13 '11 at 10:20
3

I recently implemented this in an environment that I consult in. I took a week and logged all egress traffic so that I first got a good idea of what were the most used ports. Any high use ports that was out of the ordinary (Steam ports for eg), I worked with management and made sure that they were or were not needed for business. I also checked to make sure there was not any proprietary software that the organization ran that was communicating on non-standard ports.

Finally, I implemented the blocking changes, and monitored for the next couple weeks.

All told, this process took me about a month, but because I did the prep work ahead of time, it went very smoothly.

-Josh

Josh Brower
  • 1,669
  • 3
  • 18
  • 29
  • Seems like a very wise approach. Can you please share what tools you used to monitor the egress traffic before and after you implemented the firewall changes. – joshu Mar 27 '13 at 01:46
2

It's not uncommon to find webservers running on port 8080 or 8000 or 8888 so you might want to include those.

Simon Hodgson
  • 691
  • 3
  • 8
  • 15
1

port 25 smtp but if you have a relay then just allow the relay. messengers - msn, gtalk etc.

setup logging and watch what is blocked as well, there may be somebody using a different port.

silviud
  • 2,687
  • 2
  • 18
  • 19
0

it depends on how many services do you want to allow traffic.There's no all purpose prescription. Maybe in your list you forgot ftp ports 21 and 20. For a more detailed answer we need a more detailed list of services with traffic to allow.

Nicola Boccardi
  • 301
  • 1
  • 5