How bad is this client-side firewall rule?

JohnWick
JohnWick W/ Alumni Posts: 22 Security Scout

How bad would you say that this rule is to have on all clients (medium sized company)?

 

Name: Outbound TCP and UDP traffic

Type: Allow

Remote address: 0.0.0.0/0,::/0

Service: TCP / Transmission Control Protocol, Direction "out"

Service: UDP / User Datagram Protocol, Direction "out"

 

/JW

 

 

 

Comments

  • JohnWick
    JohnWick W/ Alumni Posts: 22 Security Scout

    Capture.PNG

  • MJ-perComp
    MJ-perComp W/ Alumni Posts: 669 Firewall Master

    it says: "All Outbound traffic allowed"
    If that is the only rule you see, there is the build-in rule "deny Rest" placed after it.

    What does it mean for your security?
    No other system will be able to connect to any service on your machine.

    If that rule is applied to all Workstations in your domain, all of them are somewhat imunized to a worm. The one system that "hosts" the worm will stay alone. You could say it gets quarantined by the others not allowing to connect, regradless of a vulnerability in a windows service on the other system.

    So from a malware protection point of view the firewall rule is the minimum to deploy.

    Certainly you can add additinal rules or limit outbound traffic to http(s). But that is a different, a safety goal not security.

     

    M.

  • JohnWick
    JohnWick W/ Alumni Posts: 22 Security Scout

    Yes, I have the "Deny rest" at the end. But what I was thinking about was if it is good practice to actually allow all outbound traffic? I mean there could be some botnet traffic going out from an infected client or outbound traffic to blacklisted domains etc. But perhaps that would be taken care of other parts of the F-Secure Client Security Premius suite, like Browsing protection or Web traffic scanning?

     

    Thanks,

    JW

  • hyvokar
    hyvokar W/ Alumni Posts: 165 Junior Protector

    My advice would be, that only allow the traffic you need.

     

    tcp80/443 to everywhere, dns to your nameservers, ftp/ssh/stmp where needed, smb to your local network etc. It takes some time to plan and setup, but will be much more secure than just allowing all outgoing traffic. 

     

    Here's an example of an exploit:

    https://thehackernews.com/2018/04/outlook-smb-vulnerability.html

This discussion has been closed.