How bad is this client-side firewall rule?

Scholar

How bad is this client-side firewall rule?

How bad would you say that this rule is to have on all clients (medium sized company)?

 

Name: Outbound TCP and UDP traffic

Type: Allow

Remote address: 0.0.0.0/0,::/0

Service: TCP / Transmission Control Protocol, Direction "out"

Service: UDP / User Datagram Protocol, Direction "out"

 

/JW

 

 

 

4 REPLIES 4
Highlighted
Scholar

Re: How bad is this client-side firewall rule?

Capture.PNG

Superuser

Re: How bad is this client-side firewall rule?

it says: "All Outbound traffic allowed"
If that is the only rule you see, there is the build-in rule "deny Rest" placed after it.

What does it mean for your security?
No other system will be able to connect to any service on your machine.

If that rule is applied to all Workstations in your domain, all of them are somewhat imunized to a worm. The one system that "hosts" the worm will stay alone. You could say it gets quarantined by the others not allowing to connect, regradless of a vulnerability in a windows service on the other system.

So from a malware protection point of view the firewall rule is the minimum to deploy.

Certainly you can add additinal rules or limit outbound traffic to http(s). But that is a different, a safety goal not security.

 

M.

Matthias
----------
perComp is a Platinum Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de

Scholar

Re: How bad is this client-side firewall rule?

Yes, I have the "Deny rest" at the end. But what I was thinking about was if it is good practice to actually allow all outbound traffic? I mean there could be some botnet traffic going out from an infected client or outbound traffic to blacklisted domains etc. But perhaps that would be taken care of other parts of the F-Secure Client Security Premius suite, like Browsing protection or Web traffic scanning?

 

Thanks,

JW

Supporter

Re: How bad is this client-side firewall rule?

My advice would be, that only allow the traffic you need.

 

tcp80/443 to everywhere, dns to your nameservers, ftp/ssh/stmp where needed, smb to your local network etc. It takes some time to plan and setup, but will be much more secure than just allowing all outgoing traffic. 

 

Here's an example of an exploit:

https://thehackernews.com/2018/04/outlook-smb-vulnerability.html