Juniper SRX 210H
The default for outgoing NAT and Policy is to just allow all. However, what are the best practices for limiting outgoing traffic? Can any of you give configuration examples of limitations you have imposed on outgoing traffic? For example, maybe you have an Active Directory domain so you block LDAP outgoing or something.
It usually depends on your environment. Data center firewalls usually have different requirements than corp ones. I'll give you 2 examples:
For application servers in a data center I would construct the policies to allow ONLY Internet traffic that is needed. I'll have a policy for FTPS which to a backup server outside the network. The application servers may need to "phone home" for licensing so that would also be a seperate policy. Most vendors have this info posted like their networks and ports required. The key in this situation is that have ALWAYS have a specific source, destination, and protocol assigned in each policy. No "any"!
For egress Internet access on a corp firewall you'll have to be more lienanet. You will probably have an "Internet-ANY" policy which lets users reach websites. In most cases you won't have a list of approved websites. You would want to use a proxy for such things, but the point being your destination would be ANY but your protocols would still be restricted. Probably only HTTP, DNS, PING, and HTTPS in that policy. You should also specify your internal networks by /24s or whatever size blocks you commonly use. That is best practice.
Things like RDP, SSH, etc are generally restricted for networks or IPs in the technical depts. If running a local mail server I always have a policy in place which allows the mail server to communication on port 25, but block all other devices inside the nework in a seperate policy. I like to set a log on the block policy. It allows you to see devices which may be infected with a virus trying to send spam from your network. It's an easy way to prevent your network from being blacklisted.
So if I want to limit people to doing HTTP, HTTPS, and FTP I could have an outgoing policy like this:
destination address any;
application [ junos-http junos-https junos-ftp ]
What do you think?
At a previous job we had a few sites with restricted outbound internet ports. You will be surprised how many are required for general internet access on a corporate network. There are a fair number of internet based applications that end up using other ports. Our rule bases were different at the two sites one had about 40-50 permitted ports the other about 20-30. There were also more specific rules for particular applications with specified destination addresses.
We also then had to respond to and research tickets for "internet not working" and then get approvals to permit additional ports. These would be either general for the internet rule expansion or specific to an application or exception.
I was not there when it was first turned on, but I understand the process of discovering these ports was disruptive for users as they are not well documented. But the result was stronger security for the site and a fuller understanding of what was being used on from internet hosts.
To do the discover, I would approach it like this.
Create the rule you suggest before the general internet rule
(perhaps without the ftp. This is a vector to egress data and might be better on a site approved basis.)
Monitor the general rule and see what other ports are in use, research the destination site/ip address, contact the users and see whether it should be added to the general rule or tracked as an exception with a specific rule.
keep going until there is virutally no traffic on the general rule or only traffic you want to block. Then convert the permit to deny with log.
What I get from this sounds like exactly what I need to do:1) enumerate all of the outgoing ports that are in use.2) by a process of elimination, end up with traffic we want to block in the "general rule".3) block using the general rule.My problem is that I don't get an idea of what the code looks like that does this.In particular, I can't interpret:"Create the rule you suggest before the general internet rule"Sorry if I'm dense but I rarely have the need to modify JUNOS code so I'm always in a learning mode!Also, I take it that we would be blocking ports that have been *in use* as compared with blocking all ports - except ports that *are needed*.Thanks!