Quote:
Originally Posted by masraum
I understand that it's more secure to say "permit from the internal networks to the internet on port 80 and 443" and then let everything else be denied (greatly over simplified, of course, you'd have to permit more than 80 and 443).
Do any of you restrict outbound access like that, only allowing a few (relatively) ports/protocols from the inside to the outside or do you basically have a "permit ip any any" from the inside to the outside?
|
Sorry I'm late to the party, but I wanted to respond to Steve's original question.
Whatever you do, it needs to be backed up by your InfoSec policy. Otherwise, it has no teeth and exception after exception will be made.
Not to provide any specific details of our policies, but anything other than port 80 or 443 access to the untrust must have specific, detailed, approved and documented business justification. By default, our users get just that access and it is all proxied.
We also filter access to the web based upon content (both inappropriate and potentially dangerous). We also heavily monitor that traffic via an IDP system for potential vulns and intrusion attempts. That's just for the general population. If we have to grant other access because of justified business reasons, that's when we get really serious about security.
I do want to point out that reliance on point solutions is folly. You need to have an overall approach that is sponsored, funded, blessed and followed by the C-level in you organization to stand a chance of improving the security of your environment.