Restricting ports for web-based traffic outbound

[ChrisA]

Does anyone out there have a proxy server that users on the network point to in their browser for access to the Internet? If so, do you restrict the ports that the proxy server is allowed to talk out on (eg, only 80/443) or are any ports allowed outbound? If you restrict, is the restriction imposed on the firewall, on the proxy itself, or both? If you restrict on the firewall, do non-allowed ports get dropped (eg, in the cleanup rule) or rejected?

Any experience, advice, comments are welcomed/appreciated. Thanks.

[melipla]

Quote:

Originally Posted by ChrisA

Does anyone out there have a proxy server that users on the network point to in their browser for access to the Internet? If so, do you restrict the ports that the proxy server is allowed to talk out on (eg, only 80/443) or are any ports allowed outbound? If you restrict, is the restriction imposed on the firewall, on the proxy itself, or both? If you restrict on the firewall, do non-allowed ports get dropped (eg, in the cleanup rule) or rejected?

Any experience, advice, comments are welcomed/appreciated. Thanks.

Yes. Yes. Firewall/Both. Yes.

[ChrisA]

Thanks for the reply. So you restrict on both the proxy and firewall. Do you restrict to just 80 and 443, or do you also allow specific high ports as needed, and if so, how many approximately are allowed (ie, 10 or 300)? Are non-allowed ports dropped or rejected in the firewall?

[RayPesek]

Yes, we use a proxy.

Yes, we restrict the ports.

We restrict only on the firewall and drop them.

I've probably go about five exceptions, for dumb things like WebTrends and a cellular company who insists on running their text messaging system (send SMS via a browser) on a non-standard port. Where possible, I create a second rule with the proxy as source, all of the the non-standard ports as the services, and restrict the destinations.

I try to stick to the standards rigorously. Security through obscurity does not work and people who run web servers on non-standard ports are usually small companies. If they think that is making the secure, we don't want to do business with them.

HTH,

Ray

[MarioL]

I don't "own" firewalls, I just deploy them, but your policy should be as strict as possible and enforced in both devices, just like Ray said.

Since you have a proxy you should also make sure that no machines are going out direct, etc.