How bad is this client-side firewall rule?

JohnWick

How bad would you say that this rule is to have on all clients (medium sized company)?

 

Name: Outbound TCP and UDP traffic

Type: Allow

Remote address: 0.0.0.0/0,::/0

Service: TCP / Transmission Control Protocol, Direction "out"

Service: UDP / User Datagram Protocol, Direction "out"

 

/JW

 

 

 

JohnWick

MJ-perComp

it says: "All Outbound traffic allowed"
If that is the only rule you see, there is the build-in rule "deny Rest" placed after it.

What does it mean for your security?
No other system will be able to connect to any service on your machine.

If that rule is applied to all Workstations in your domain, all of them are somewhat imunized to a worm. The one system that "hosts" the worm will stay alone. You could say it gets quarantined by the others not allowing to connect, regradless of a vulnerability in a windows service on the other system.

So from a malware protection point of view the firewall rule is the minimum to deploy.

Certainly you can add additinal rules or limit outbound traffic to http(s). But that is a different, a safety goal not security.

 

M.

JohnWick

Yes, I have the "Deny rest" at the end. But what I was thinking about was if it is good practice to actually allow all outbound traffic? I mean there could be some botnet traffic going out from an infected client or outbound traffic to blacklisted domains etc. But perhaps that would be taken care of other parts of the F-Secure Client Security Premius suite, like Browsing protection or Web traffic scanning?

 

Thanks,

JW

hyvokar

My advice would be, that only allow the traffic you need.

 

tcp80/443 to everywhere, dns to your nameservers, ftp/ssh/stmp where needed, smb to your local network etc. It takes some time to plan and setup, but will be much more secure than just allowing all outgoing traffic. 

 

Here's an example of an exploit:

https://thehackernews.com/2018/04/outlook-smb-vulnerability.html