Firewalls & Restricting Outbound Traffic
-
Maybe do some role play... what is the use case where you end up with misconfigured DNS and then want to the person or system with that issue to really go offline completely? Like not just losing some things, but losing patching and monitoring too.
-
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
Ok, so perhaps the discussion should be...which ports would you blanket block?
- That's it. And it is blocked on every network I have ever had access to the core router of.
You wouldn't want to force DNS at least, too? I'm liking the idea that DNS requests must be made by my DCs. Maybe it's not necessary.
Are there cases for that? Okay. But you already control that in other ways. So I'm unclear what benefit you think that this will provide since you are talking about malware, not your users. Does malware looking things up on your DC provide some value to you?
You cannot force client DNS 100% of the time to be what you want in a BYOD environment. If DNS control is a desire, blocking DNS at the router is the simpler method.
It is unrelated to the blanket blocking discussion as it is a decision the business needs to decide if they need to make or not.
What's the difference between blocking DNS at the router vs firewall? The idea being only permitted DNS servers would be allowed to perform DNS requests to the outside world. Everything on the inside would need to use the on premis DNS servers (aka our DCs).
RIght, if you allow unmanaged devices onto your network, then it could make sense to use LAN security to control access to DNS. But I'd ask.. why do you let uncontrolled devices onto your network?
Basically how I see this is an attempt at LAN based security, while also allowing skipping LAN management for the worst of both worlds mixed together.
Where did I say I let unmanaged devices onto my network?
That was the reason that Jared suggested for why you'd want to block DNS POrt 53. If you don't have unmanaged things on your network, what would blocking it get for you? It only makes sense if you have unmanaged things on the network.
It would force any prospective clients on the network to only be able to use my DNS servers. Sure, everything on the (non-guest) network is managed, and I do my best to keep them all clean, but things happen and I know I'm not the worlds perfect sysadmin.
I guess it's dumb after all.
My opinion varies from Scott's a bit in that it is easier to block at the router than to deal with DNS control on all devices, even on controlled devices.
-
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
Ok, so perhaps the discussion should be...which ports would you blanket block?
- That's it. And it is blocked on every network I have ever had access to the core router of.
You wouldn't want to force DNS at least, too? I'm liking the idea that DNS requests must be made by my DCs. Maybe it's not necessary.
Are there cases for that? Okay. But you already control that in other ways. So I'm unclear what benefit you think that this will provide since you are talking about malware, not your users. Does malware looking things up on your DC provide some value to you?
You cannot force client DNS 100% of the time to be what you want in a BYOD environment. If DNS control is a desire, blocking DNS at the router is the simpler method.
It is unrelated to the blanket blocking discussion as it is a decision the business needs to decide if they need to make or not.
What's the difference between blocking DNS at the router vs firewall? The idea being only permitted DNS servers would be allowed to perform DNS requests to the outside world. Everything on the inside would need to use the on premis DNS servers (aka our DCs).
RIght, if you allow unmanaged devices onto your network, then it could make sense to use LAN security to control access to DNS. But I'd ask.. why do you let uncontrolled devices onto your network?
Basically how I see this is an attempt at LAN based security, while also allowing skipping LAN management for the worst of both worlds mixed together.
Where did I say I let unmanaged devices onto my network?
That was the reason that Jared suggested for why you'd want to block DNS POrt 53. If you don't have unmanaged things on your network, what would blocking it get for you? It only makes sense if you have unmanaged things on the network.
It would force any prospective clients on the network to only be able to use my DNS servers. Sure, everything on the (non-guest) network is managed, and I do my best to keep them all clean, but things happen and I know I'm not the worlds perfect sysadmin.
I guess it's dumb after all.
It would force them not to use Google or whatever. But it would not make them point to your AD. So it would break their access. Which might be what you want, but I'd guess not.
Yes, that'd be what I want. If DNS on a given host is ill-configured, it doesn't work. Exactly the behavior I'd expect.
Expect, but want? Why do you want that? I'd rather fail soft than fail hard. If DNS doesn't work properly, it's an accident. If it is blocked and they can't work at all, it's not an accident any more and IT induced a problem. There are cases where that's preferable, but I'd wager that they are extremely rare. What's your benefit from forcing a more dramatic failure?
It would be brought to our attention and we would fix it. A soft failure may remain soft for an indeterminate amount of time.
-
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
Maybe do some role play... what is the use case where you end up with misconfigured DNS and then want to the person or system with that issue to really go offline completely? Like not just losing some things, but losing patching and monitoring too.
I have been down this road before, and yes. If someone was over at Art's Motel and had to set specific DNS setting in order to work right, and then comes back on my network and gets DHCP, but not a DHCP assigned DNS, then I want then to get no where.. Broken.
-
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
Ok, so perhaps the discussion should be...which ports would you blanket block?
- That's it. And it is blocked on every network I have ever had access to the core router of.
You wouldn't want to force DNS at least, too? I'm liking the idea that DNS requests must be made by my DCs. Maybe it's not necessary.
Are there cases for that? Okay. But you already control that in other ways. So I'm unclear what benefit you think that this will provide since you are talking about malware, not your users. Does malware looking things up on your DC provide some value to you?
You cannot force client DNS 100% of the time to be what you want in a BYOD environment. If DNS control is a desire, blocking DNS at the router is the simpler method.
It is unrelated to the blanket blocking discussion as it is a decision the business needs to decide if they need to make or not.
What's the difference between blocking DNS at the router vs firewall? The idea being only permitted DNS servers would be allowed to perform DNS requests to the outside world. Everything on the inside would need to use the on premis DNS servers (aka our DCs).
RIght, if you allow unmanaged devices onto your network, then it could make sense to use LAN security to control access to DNS. But I'd ask.. why do you let uncontrolled devices onto your network?
Basically how I see this is an attempt at LAN based security, while also allowing skipping LAN management for the worst of both worlds mixed together.
Where did I say I let unmanaged devices onto my network?
That was the reason that Jared suggested for why you'd want to block DNS POrt 53. If you don't have unmanaged things on your network, what would blocking it get for you? It only makes sense if you have unmanaged things on the network.
It would force any prospective clients on the network to only be able to use my DNS servers. Sure, everything on the (non-guest) network is managed, and I do my best to keep them all clean, but things happen and I know I'm not the worlds perfect sysadmin.
I guess it's dumb after all.
My opinion varies from Scott's a bit in that it is easier to block at the router than to deal with DNS control on all devices, even on controlled devices.
I'm not following you. I've been talking about blocking at the edge (firewall/router whatev you want to refer to) the entire time.
-
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
Maybe do some role play... what is the use case where you end up with misconfigured DNS and then want to the person or system with that issue to really go offline completely? Like not just losing some things, but losing patching and monitoring too.
Yes. Our users are terrible at reporting problems. If it just doesn't work, they'll let us know. If it kinda works, we may never hear about it.
-
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
Ok, so perhaps the discussion should be...which ports would you blanket block?
- That's it. And it is blocked on every network I have ever had access to the core router of.
You wouldn't want to force DNS at least, too? I'm liking the idea that DNS requests must be made by my DCs. Maybe it's not necessary.
Are there cases for that? Okay. But you already control that in other ways. So I'm unclear what benefit you think that this will provide since you are talking about malware, not your users. Does malware looking things up on your DC provide some value to you?
You cannot force client DNS 100% of the time to be what you want in a BYOD environment. If DNS control is a desire, blocking DNS at the router is the simpler method.
It is unrelated to the blanket blocking discussion as it is a decision the business needs to decide if they need to make or not.
What's the difference between blocking DNS at the router vs firewall? The idea being only permitted DNS servers would be allowed to perform DNS requests to the outside world. Everything on the inside would need to use the on premis DNS servers (aka our DCs).
RIght, if you allow unmanaged devices onto your network, then it could make sense to use LAN security to control access to DNS. But I'd ask.. why do you let uncontrolled devices onto your network?
Basically how I see this is an attempt at LAN based security, while also allowing skipping LAN management for the worst of both worlds mixed together.
Where did I say I let unmanaged devices onto my network?
That was the reason that Jared suggested for why you'd want to block DNS POrt 53. If you don't have unmanaged things on your network, what would blocking it get for you? It only makes sense if you have unmanaged things on the network.
It would force any prospective clients on the network to only be able to use my DNS servers. Sure, everything on the (non-guest) network is managed, and I do my best to keep them all clean, but things happen and I know I'm not the worlds perfect sysadmin.
I guess it's dumb after all.
My opinion varies from Scott's a bit in that it is easier to block at the router than to deal with DNS control on all devices, even on controlled devices.
I'm not following you. I've been talking about blocking at the edge (firewall/router whatev you want to refer to) the entire time.
Scott is saying not to even bother on that. He sees no point. I disagree saying it is easier this way than managing the endpoints.
-
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
Maybe do some role play... what is the use case where you end up with misconfigured DNS and then want to the person or system with that issue to really go offline completely? Like not just losing some things, but losing patching and monitoring too.
I have been down this road before, and yes. If someone was over at Art's Motel and had to set specific DNS setting in order to work right, and then comes back on my network and gets DHCP, but not a DHCP assigned DNS, then I want then to get no where.. Broken.
Yes!
insert appropriate meme here
-
@JaredBusch Got it.
-
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
Ok, so perhaps the discussion should be...which ports would you blanket block?
- That's it. And it is blocked on every network I have ever had access to the core router of.
You wouldn't want to force DNS at least, too? I'm liking the idea that DNS requests must be made by my DCs. Maybe it's not necessary.
Are there cases for that? Okay. But you already control that in other ways. So I'm unclear what benefit you think that this will provide since you are talking about malware, not your users. Does malware looking things up on your DC provide some value to you?
You cannot force client DNS 100% of the time to be what you want in a BYOD environment. If DNS control is a desire, blocking DNS at the router is the simpler method.
It is unrelated to the blanket blocking discussion as it is a decision the business needs to decide if they need to make or not.
What's the difference between blocking DNS at the router vs firewall? The idea being only permitted DNS servers would be allowed to perform DNS requests to the outside world. Everything on the inside would need to use the on premis DNS servers (aka our DCs).
RIght, if you allow unmanaged devices onto your network, then it could make sense to use LAN security to control access to DNS. But I'd ask.. why do you let uncontrolled devices onto your network?
Basically how I see this is an attempt at LAN based security, while also allowing skipping LAN management for the worst of both worlds mixed together.
Where did I say I let unmanaged devices onto my network?
That was the reason that Jared suggested for why you'd want to block DNS POrt 53. If you don't have unmanaged things on your network, what would blocking it get for you? It only makes sense if you have unmanaged things on the network.
It would force any prospective clients on the network to only be able to use my DNS servers. Sure, everything on the (non-guest) network is managed, and I do my best to keep them all clean, but things happen and I know I'm not the worlds perfect sysadmin.
I guess it's dumb after all.
My opinion varies from Scott's a bit in that it is easier to block at the router than to deal with DNS control on all devices, even on controlled devices.
I appreciate the point. I think it's a moderate point where either way is fine, I just lean the other direction "more often."
-
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
Maybe do some role play... what is the use case where you end up with misconfigured DNS and then want to the person or system with that issue to really go offline completely? Like not just losing some things, but losing patching and monitoring too.
Yes. Our users are terrible at reporting problems. If it just doesn't work, they'll let us know. If it kinda works, we may never hear about it.
That makes sense.
-
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
Maybe do some role play... what is the use case where you end up with misconfigured DNS and then want to the person or system with that issue to really go offline completely? Like not just losing some things, but losing patching and monitoring too.
I have been down this road before, and yes. If someone was over at Art's Motel and had to set specific DNS setting in order to work right, and then comes back on my network and gets DHCP, but not a DHCP assigned DNS, then I want then to get no where.. Broken.
Yes!
insert appropriate meme here
So you are letting the users manage their own DNS settings? Lots of times you need to, so that's a valid case, I just want to be clear that that is what we are talking about.
-
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
Maybe do some role play... what is the use case where you end up with misconfigured DNS and then want to the person or system with that issue to really go offline completely? Like not just losing some things, but losing patching and monitoring too.
I have been down this road before, and yes. If someone was over at Art's Motel and had to set specific DNS setting in order to work right, and then comes back on my network and gets DHCP, but not a DHCP assigned DNS, then I want then to get no where.. Broken.
Yes!
insert appropriate meme here
So you are letting the users manage their own DNS settings? Lots of times you need to, so that's a valid case, I just want to be clear that that is what we are talking about.
Well, not the users directly. But there may be a case where DNS settings are altered undesirably (by IT, by malicious software, or simply an issue with the OS not flushing stale DNS settings from going off network).