For more big business and enterprise networks, we were discussing the policies you have between zones. I had a discussion with a customer and some co workers about security in their local networks and also outbound to the internet and curious anyone who has dealt with enterprise networks, what policies you setup.
What services to you permit outbound to the internet?
What security do you have between zones? Everyone in a Trust zone or did you break up your network if users are only in subnets for their buildings and anyone on the network is trusted to get to everyone?
Outbound usually only http/https…and with that most enterprises will run a proxy…
Exceptions were based on departments with managers signing off…
The site to site trusts thing really depends on the applications people are running…
I have implemented egress filtering at a ton of customers purely as a response to machines getting infected and spamming(port 25)…or people trying to use peer to peer shit at work.
Ya. The project started off as “We don’t care who can get to what.” and now they found out their IPs are getting blacklisted becuase they are spamming port 25 outbound.
I told them I am rewriting the policies and only going to allow from the general data subnets: HTTP, HTTPS, FTP, SSH, TELNET, and ICMP and then limit their SMTP service out to only their mailserver.
I just setup Splunk and showed them all their IPs that are hammering the internet with traffic and now they suddenly are like, well we should rewrite our policies.
Ya. I was blown away that they were finding reasons to keep Yahoo Messenger and all the other default protocols allowed on the outbound side when they have such strict web filtering rules…
I guess they learned now I have to go and just restrict their outbound/inbound.
Exchange uses SMTP on port 25 right for outbound email or does it get creative and use some other random port for its mail?
