What tangible security are gained by blocking all but a few outgoing ports in a firewall

Posted by Frankie Dintino on Server Fault See other posts from Server Fault or by Frankie Dintino
Published on 2010-05-10T19:02:10Z Indexed on 2010/05/10 19:04 UTC
Read the original article Hit count: 323

Filed under:

firewall

|

subjective

|

security

Our current hardware firewall allows for blocking incoming and outgoing ports. We have two possibilities:

Block certain troublesome ports (unsecured smtp, bittorrent, etc.)
Block all but a few approved ports (http, https, ssh, imap-ssl, etc.)

I see several downsides with option 2. Occasionally web servers are hosted on non-standard ports and we would have to deal with the resulting issues. Also, there is nothing preventing a malicious or unwanted service from being hosted on port 80, for instance. What are are the upsides?

© Server Fault or respective owner

Related posts about firewall

Managed hosting firewall vs managing own firewall

as seen on Server Fault - Search for 'Server Fault'
I posted on stackoverflow as to the overall benefits of managed hosting vs non-managed hosting. The more I think about it, it seems to boil down to one question: should I use a managed host because they take care of the firewall, or would I be okay managing my own, software firewall? The sites… >>> More
Hardware firewall vs VMWare firewall appliance

as seen on Server Fault - Search for 'Server Fault'
We have a debate in our office going on whether it's necessary to get a hardware firewall or set up a virtual one on our VMWare cluster. Our environment consists of 3 server nodes (16 cores w/ 64 GB RAM each) over 2x 1 GB switches w/ an iSCSI shared storage array. Assuming that we would be dedicating… >>> More
Firewall behind firewall

as seen on Server Fault - Search for 'Server Fault'
I've recently changed jobs and I've been set up with a new workstation. On all previous places where I've been working they've had some sort of local firewall installed on each and every workstation - but here I've been told not to activate it because it is not necessary since we're already behind… >>> More
We have no SW Firewall behind our office HW firewall, admin says its not req'd

as seen on Server Fault - Search for 'Server Fault'
I've recently changed jobs and I've been set up with a new workstation. On all previous places where I've been working they've had some sort of local firewall installed on each and every workstation - but here I've been told not to activate it because it is not necessary since we're already behind… >>> More
Can't get FTP to work on centOS 5.6

as seen on Server Fault - Search for 'Server Fault'
Hi guys I have been trying for a few hours to install and get FTP to work... I did yum install ftp and yum install vsftpd They all installed and are running but when I try to use filezilla or some other client I just can't connect....I've tried connecting on port 21 and port 990 ....nothing! These… >>> More

Related posts about subjective

Scoring/analysis of Subjective testing for skills assessment

as seen on Programmers - Search for 'Programmers'
I am lucky in the sense that I have been given the opportunity to be a 'Technical Troubleshooter' for our offshore development team. While I am confident and capable of dealing with most issues, I have come across something that I am not. Based on initial discussions with various team members both… >>> More
Best Practise/Subjective: Implement a finite state automaton in OOP

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi guys, I am thinking about implementing a programm with finite state automaton in an OOP language like Java or C++. What would you think is the best way to implement this with a manageable amount of available states, regarding to good software design? Is it good to implement for each state an… >>> More
Subjective question...would you use the Action delegate to avoid duplication of code?

as seen on Stack Overflow - Search for 'Stack Overflow'
Hello, I just asked a question that helps about using generics (or polymorphism) to avoid duplication of code. I am really trying to follow the DRY principle. So I just ran into the following code... Sub OutputDataToExcel() OutputLine("Output DataBlocks", 1) OutputDataBlocks() … >>> More
"Best" language /architecture for browser-based app with ODBC and sockets? (subjective)

as seen on Stack Overflow - Search for 'Stack Overflow'
Sorry to ask a subjective question, but I would welcome some advice. I am an experienced programmer of embedded s/w, but haven't done much network programming, although I have done a fair bit of hobbyist PHP. Anyway, I have to develop what is probably a fairly general type of app, as shown in this… >>> More
The best terminal emulator for a heavy terminal user?

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I spend a lot of time at the command-line during the workday and at home too since I run Ubuntu exclusively. I've been using the default gnome terminal but I've reached a point where I'd really like to get my terminal tricked out so that my common tasks are as easy as possible. Specifically, I find… >>> More