Re: Port 443 Outbound

---

• From: "Cliff Galiher" <cgaliher@xxxxxxxxx>
• Date: Fri, 17 Apr 2009 17:06:26 -0600

---

In theory, yes, but in practice, not really.

The truth is that there is a very small number of firewall OS's out there. If you've done what you should with your network (only admins can install apps, etc) then malware has gotten behind your network because *it* has admin access, and it is trivial for malware to *use* that admin access to reconfigure a firewall, whether that is software or hardware.

I remember when ZoneAlarm made a big deal that they checksum files on their allow list and Symantec's product didn't. Within about a week there was a new trojan that installed itself as a DLL in IE, so IE's checksum still worked out and it got past ZoneAlarm with no problem.

All I'm saying is that if something has access to your network then you have bigger problems and it getting past your firewall to "phone home" is the least of your problems. It can lie, alter logs, or alter other machines to find away around your precautions. Or worst case scenario, (and there are viruses that do this) trigger a doomsday payload because they *can't* call home...where if they did, they'd quietly keep collecting data.

In a weird way, I think I'd rather have something do what it is programmed to do, so I can get IP addresses and *maybe* recover from it. But relying on egress filtering for security is, in my opinion, nearly worthless. I know others may disagree.

-Cliff

"John gordon" <johngordon@xxxxxxxxxxxxx> wrote in message news:#2oTo05vJHA.5836@xxxxxxxxxxxxxxxxxxxxxxx

Thanks for that.
Agreed - I would much rather nothing got on the network in the first place and have Trend and auditing set up (not Snort admittedly) but surely a device that could monitor 443 outbound would only act as an extra layer of defence ?


"Cliff Galiher" <cgaliher@xxxxxxxxx> wrote in message news:O2InkX5vJHA.3832@xxxxxxxxxxxxxxxxxxxxxxx

Here is my take.

An edge device should *not* be used to block or even detect malware on your network. Even if you do successfully stop it from calling home, it is already behind your firewall and thus has unprecedented access to your network. Who knows what the payload is is or what its instructions are if it *can't* contact home. No no...an edge device is used for inbound blocking and filtering, but is not an effective security boundary for malware already in your network.

You can use outbound filtering to prevent some abuses by employees such as email port blocking from all IP's but the server, or DNS filtering to prevent lookups of certain sites such as youTube. But those aren't necessarily "security" related as much as they are policy related.

No, there is no substitute for good internal network monitoring. Centralized AV is a good start, but auditing is also important. Microsoft Baseline Security Analyzer, Snort, etc, are all good tools to have set up and running regularly.

-Cliff


"John gordon" <johngordon@xxxxxxxxxxxxx> wrote in message news:e2L$wizvJHA.5100@xxxxxxxxxxxxxxxxxxxxxxx

I recently came across articles discussing malware's use of ports 443 and 80 outbound to "call home".
I have always set my own systems up to use egress filtering to for instance only allow email traffic out to my ISP's Smart Host from my server's IP (but these two ports-443 and 80 I leave open outbound in order to allow web browsing etc). In one article (http://blogs.windowsecurity.com/shinder/2008/02/03/tcp-443-the-universal-firewall-port-not/) Dr Tom Shinder talks about web proxies from Blue Coat and Collective Software. What is the best way to counter this threat of malware communicating outbound over 443 and 80 in an SBS 2008 environment ? Can any of the hardware firewalls that have been discuseed in this forum such as those from Watchguard and Sonicwall see inside an outbound 443 connection ? Or are such proxies the answer ? Comments would be welcome. Or am I talking rubbish ?

.

---

• References:
  • Port 443 Outbound
    • From: John gordon
  • Re: Port 443 Outbound
    • From: Cliff Galiher
  • Re: Port 443 Outbound
    • From: John gordon

• Prev by Date: Re: OEM vs. Open License
• Next by Date: Re: SBS 2003 SP1 install failure
• Previous by thread: Re: Port 443 Outbound
• Next by thread: How do I login to the Journal Mailbox?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Microsoft TechNet Magazine Article about Outbound Filtering ... why is there so much noise about outbound ... "The program NotAVirus.exe wants to communicate on ... The fact is, despite everyone's best efforts, outbound filtering is ... software firewall that monitors ougoing connections (if it just doesnt ... (comp.security.firewalls) Re: Best practices: Two nics but have harware firewall ... I am not aware of any application layer filtering in WatchGuard products. ... ISA Firewall Fairy Tales - What Hardware Firewall Vendors Don't Want You ... the firewalls at the Asset Network ... The ISA Server 2004 firewall is the ideal firewall for the Asset Network ... (microsoft.public.windows.server.sbs) Re: Updates now max out IEs agent string length, causing problems ... causing some kind of issue in your network. ... I am using Active Directory, Filtering, Firewall, ... (microsoft.public.windowsupdate) [fw-wiz] State of security technology for the enterprise ... enterprise network. ... Content filtering on the firewall ... VMWARE/Hypervisor sensors to protect my virtual infrastructure ... (Firewall-Wizards) Re: Linksys router as Firewall ... >>the external network. ... None of the Linksys line provide filtering of the INBOUND connections ... The Linksys does not isolate internal from external, ... > Virus scanning and spam filtering is not a function of a firewall. ... (comp.security.firewalls)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)