LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

big deal

big deal

Posted Apr 9, 2006 2:48 UTC (Sun) by lutchann (subscriber, #8872)
In reply to: big deal by smoogen
Parent article: Crossplatform virus - the latest proof of concept

It's also required by my liability insurance, which isn't surprising. I'm sure that's to reduce the risk of me being unable to meet contractual obligations for a client due to a virus infection that destroys data, ties up my time fixing things, etc.

The more surprising requirement for the insurance was to maintain a firewall that not only blocks unauthorized inbound connections but unauthorized outbound connections from both servers and workstations. Since that's how all my internal networks are already set up it wasn't a big deal for me, but it was nice to see my insurer paying attention to things like that.

(Log in to post comments)

egress filtering?

Posted Apr 9, 2006 23:21 UTC (Sun) by man_ls (subscriber, #15091) [Link]

You block unauthorized outbound connections? This means that you have to "authorize" outbound connections to every new port? For me this is a waste of time; malware can connect via port 80 to whatever server it wants, and I may want to connect to remote ports for new protocols, server administration, etc. My internal networks are definitely not set up like that.

egress filtering? yes!

Posted Apr 11, 2006 15:51 UTC (Tue) by lutchann (subscriber, #8872) [Link]

You're right, which is why I don't allow connections via port 80 to just any server. All allowed outbound connections from my internal networks are fully specified by source host, destination host and destination port; for the most part this is limited to allowing only connections to a client's servers or VPN endpoint, plus my local DNS and NTP servers. This reasonably well isolates all my internal networks from each other and the Internet, which conveniently solves a lot of problems that IT departments tend to bring up when you request VPN access to their network.

a bit excessive

Posted Apr 11, 2006 16:06 UTC (Tue) by man_ls (subscriber, #15091) [Link]

So, what do you do when you have a problem in the network and need to look something up on the web?

a bit excessive

Posted Apr 11, 2006 16:34 UTC (Tue) by lutchann (subscriber, #8872) [Link]

I have other networks here besides those I consider "internal"--everything with Internet access is in a DMZ-type network, so laptop+wireless works fine for web and IM. But from the perspective of the internal networks where all the real work goes on, the DMZ is as untrustworthy as the open Internet.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds