Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||
egress filtering? yes!egress filtering? yes!Posted Apr 11, 2006 15:51 UTC (Tue) by lutchann (subscriber, #8872)In reply to: egress filtering? by man_ls Parent article: Crossplatform virus - the latest proof of concept
You're right, which is why I don't allow connections via port 80 to just any server. All allowed outbound connections from my internal networks are fully specified by source host, destination host and destination port; for the most part this is limited to allowing only connections to a client's servers or VPN endpoint, plus my local DNS and NTP servers. This reasonably well isolates all my internal networks from each other and the Internet, which conveniently solves a lot of problems that IT departments tend to bring up when you request VPN access to their network.
(Log in to post comments)
a bit excessive Posted Apr 11, 2006 16:06 UTC (Tue) by man_ls (subscriber, #15091) [Link] So, what do you do when you have a problem in the network and need to look something up on the web?
a bit excessive Posted Apr 11, 2006 16:34 UTC (Tue) by lutchann (subscriber, #8872) [Link] I have other networks here besides those I consider "internal"--everything with Internet access is in a DMZ-type network, so laptop+wireless works fine for web and IM. But from the perspective of the internal networks where all the real work goes on, the DMZ is as untrustworthy as the open Internet.
|
|||||||||||