Using Firewalls to Block Spyware?

MartinMotor asks: "I'm a Network Administrator for a company with approximately 200 users, and we just installed a shiny new PIX. Being the resourceful network geek type, I immediately started adding deny statements to kill off access to places where people can download evil cursed programs like HOTBAR. Is there anywhere out there where people like me are maintaining a list of IPs for spammers, spyware progs, and pop-uppers to add to our firewalls? I can't be the first person to have this idea."

Re:Firewall policy

Huh? Either this is a troll, or you just don't get it.

Any half-wit administrator should be filtering all outbound traffic, to just the ports NEEDED for the business to function (in many cases, that means the internal equipment must use the proxy for everything, or they can forget about connecting to the net). Everything else should run through a proxy/caching server, or an internal SMTP relay server. I've yet to come across any application that I've permitted my users to install, which was unable to work with a proxy server.

Not only does a proxy/caching/relay server greatly speed up overall internet access, but it allows for the company to fully log where an employee goes online, and better control their use of the net. In the event of any legal issues, the company can use those logs for either defense or prosecution.

Effective egress filtering also prevents employees (or even a virus or trojan) from using your internet connection to send spam, attack others, and anything else that the business does not need the employee to do.

If there's something wrong with your proxy server - that's likely the admin's fault, or a POS proxy server. I don't know what you use, but the squid proxy/caching server is one that I've used extensively in many environments, and it has performed without issue for quite some time.

Are you aware that most IM sessions are not encrypted, all chat messages are passed through servers that you do not and cannot control, and therefore are not secure by any stretch of the imagination. You open that barn door, and I guarantee you your users will quickly forget whatever you told them about the insecurity, and starting sending confidential and/or proprietary information via the chat tools.

A specific list of websites - well, we actually do. Mozilla/Netscape can go anywhere on the net, but IE is restricted to just a few business related sites. This works very well to curtail user's access to potentially hazardous sites, without impacting their ablity to function.

Re:Firewall policy

A nusance yes, but a necessary evil - there are far too many people out there that think they know what they're doing, and dont have the slightest idea. Then there are the paper-traied MCSE/MBA people - knows enough to sound smart, but stupider than shit.

These rules are very likely there for a good reason. I'm sure the admins are willing to listen to a good, well thought out argument against the filtering of something (I know I would).

My rule basically goes like this; if you can present to me a good (management backed) business case to open this port up, and I cant come up with any effective alternatives (or serious security or other system issues) - I'll open it.

Re:Some spyware modifies firewalls to get through!

[Technician]

Zone alarm on a users machine is not a replacement for a corporate firewall. Nothing on a users machine should be able to mess with the corprorate firewall. Some of your blocked ports should be blocked at your router/firewall, not by a users software package.

Re:Yes and No.

[Istealmymusic]

Okay, I'll bite.

Why doesn't DirectX v7 (presumably you are referring to the DirectPlay NetCode) NAT properly? I found some answers on DXport, which claims to be able to force DX7 and 8 games to work with NATs. Seems the protocol isn't that broken with regards to NATing.

Why must certain types of ICMP be allowed? Is "port unreachable" really necessary, or can connections to unreachable ports simply time out? Echo certainly isn't necessary. As for FTP, passive mode is preferred as it allows connections to be initiated by the client rather than the server (or maybe the other way around, I'm tired, and its late), so I fail to see how its relevant.

But I'm willing to be enlightened.