Problem solve Get help with specific problems with your technologies, process and projects.

Types of traffic to block at the firewall

What types of traffic should definitely be blocked at the firewall?

You should block all services that do not have an explicit business need. In the olden days (say, five years ago), we had the luxury of being able to just block certain services that had security holes. Nowadays, any service you let through your firewall exposes you to risks associated with that particular service, as well as opening up a tunnel an attacker can use to communicate with a backdoor. So, in the past, you may have just closed eight services or so. Now, you must close them all at a firewall and just turn on those services you really need. So, if you have a Web server, allow only Web requests and responses. If you have a DNS server, allow DNS requests and responses and so on.

Please keep in mind that you must implement this in both directions: outgoing and incoming. Some folks think that if they just filter incoming connections, they are safe. However, outgoing connections are increasingly used by the bad guys to communicate with backdoors. I can hack your boxes through a limited incoming connection (say I just use a buffer overflow carried via HTTP or DNS traffic). I use this overflow to configure your boxes to push me out a shell using a tool like Netcat, reverse WWW shell or even just plain old X window terminals. Then, I have incoming shell access via outgoing traffic. Bummer. That's why you have to block all traffic, coming in or going out, for all services except what you absolutely need.


For more information on this topic, visit these other SearchSecurity.com resources: Best Web Links: Ask the Expert: Determining which TCP/IP services are needed
This was last published in June 2002

Dig Deeper on Real-time network monitoring and forensics