Firewalls & Restricting Outbound Traffic
-
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
Ok, so perhaps the discussion should be...which ports would you blanket block?
- That's it. And it is blocked on every network I have ever had access to the core router of.
You wouldn't want to force DNS at least, too? I'm liking the idea that DNS requests must be made by my DCs. Maybe it's not necessary.
Are there cases for that? Okay. But you already control that in other ways. So I'm unclear what benefit you think that this will provide since you are talking about malware, not your users. Does malware looking things up on your DC provide some value to you?
We have a log collector that does DNS analysis. So, yes, it does actually. And if I decided to "black hole" a DNS record (have done this as past jobs, but not this one yet), there would be no way around it.
You think that malware would have no way around it? It would just use port 80 or 443. There is always a way around it.
-
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
Ok, so perhaps the discussion should be...which ports would you blanket block?
- That's it. And it is blocked on every network I have ever had access to the core router of.
You wouldn't want to force DNS at least, too? I'm liking the idea that DNS requests must be made by my DCs. Maybe it's not necessary.
Are there cases for that? Okay. But you already control that in other ways. So I'm unclear what benefit you think that this will provide since you are talking about malware, not your users. Does malware looking things up on your DC provide some value to you?
We have a log collector that does DNS analysis. So, yes, it does actually. And if I decided to "black hole" a DNS record (have done this as past jobs, but not this one yet), there would be no way around it.
You think that malware would have no way around it? It would just use port 80 or 443. There is always a way around it.
I suppose that's true. They could also go out another random port since none of it would be blocked.
-
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
Ok, so perhaps the discussion should be...which ports would you blanket block?
- That's it. And it is blocked on every network I have ever had access to the core router of.
You wouldn't want to force DNS at least, too? I'm liking the idea that DNS requests must be made by my DCs. Maybe it's not necessary.
Are there cases for that? Okay. But you already control that in other ways. So I'm unclear what benefit you think that this will provide since you are talking about malware, not your users. Does malware looking things up on your DC provide some value to you?
We have a log collector that does DNS analysis. So, yes, it does actually. And if I decided to "black hole" a DNS record (have done this as past jobs, but not this one yet), there would be no way around it.
You think that malware would have no way around it? It would just use port 80 or 443. There is always a way around it.
I suppose that's true. They could also go out another random port since none of it would be blocked.
If you block ALL ports, then you can make cases for all kinds of stuff. But leave any open, and you might as well leave them all open, except for 25.
-
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
Ok, so perhaps the discussion should be...which ports would you blanket block?
- That's it. And it is blocked on every network I have ever had access to the core router of.
You wouldn't want to force DNS at least, too? I'm liking the idea that DNS requests must be made by my DCs. Maybe it's not necessary.
Are there cases for that? Okay. But you already control that in other ways. So I'm unclear what benefit you think that this will provide since you are talking about malware, not your users. Does malware looking things up on your DC provide some value to you?
You cannot force client DNS 100% of the time to be what you want in a BYOD environment. If DNS control is a desire, blocking DNS at the router is the simpler method.
It is unrelated to the blanket blocking discussion as it is a decision the business needs to decide if they need to make or not.
-
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
Ok, so perhaps the discussion should be...which ports would you blanket block?
- That's it. And it is blocked on every network I have ever had access to the core router of.
You wouldn't want to force DNS at least, too? I'm liking the idea that DNS requests must be made by my DCs. Maybe it's not necessary.
Are there cases for that? Okay. But you already control that in other ways. So I'm unclear what benefit you think that this will provide since you are talking about malware, not your users. Does malware looking things up on your DC provide some value to you?
You cannot force client DNS 100% of the time to be what you want in a BYOD environment. If DNS control is a desire, blocking DNS at the router is the simpler method.
It is unrelated to the blanket blocking discussion as it is a decision the business needs to decide if they need to make or not.
What's the difference between blocking DNS at the router vs firewall? The idea being only permitted DNS servers would be allowed to perform DNS requests to the outside world. Everything on the inside would need to use the on premis DNS servers (aka our DCs).
-
@anthonyh said in Firewalls & Restricting Outbound Traffic:
What's the difference between blocking DNS at the router vs firewall?
Those are the same thing. All routers on the market for the last two decades is a firewall. And all firewalls that I know of are routers. Since the late 1990s, while a router and firewall are different functions and aspects, all real world products are always both. So those terms are actually interchangeable unless you are discussing the functionality.
-
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
Ok, so perhaps the discussion should be...which ports would you blanket block?
- That's it. And it is blocked on every network I have ever had access to the core router of.
You wouldn't want to force DNS at least, too? I'm liking the idea that DNS requests must be made by my DCs. Maybe it's not necessary.
Are there cases for that? Okay. But you already control that in other ways. So I'm unclear what benefit you think that this will provide since you are talking about malware, not your users. Does malware looking things up on your DC provide some value to you?
You cannot force client DNS 100% of the time to be what you want in a BYOD environment. If DNS control is a desire, blocking DNS at the router is the simpler method.
It is unrelated to the blanket blocking discussion as it is a decision the business needs to decide if they need to make or not.
What's the difference between blocking DNS at the router vs firewall? The idea being only permitted DNS servers would be allowed to perform DNS requests to the outside world. Everything on the inside would need to use the on premis DNS servers (aka our DCs).
RIght, if you allow unmanaged devices onto your network, then it could make sense to use LAN security to control access to DNS. But I'd ask.. why do you let uncontrolled devices onto your network?
Basically how I see this is an attempt at LAN based security, while also allowing skipping LAN management for the worst of both worlds mixed together.
-
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
What's the difference between blocking DNS at the router vs firewall?
Those are the same thing. All routers on the market for the last two decades is a firewall. And all firewalls that I know of are routers. Since the late 1990s, while a router and firewall are different functions and aspects, all real world products are always both. So those terms are actually interchangeable unless you are discussing the functionality.
I know. Hence my question.
I suspect this thread is spiraling. As surprising as it may be, I'm really not an idiot.
-
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
What's the difference between blocking DNS at the router vs firewall?
Those are the same thing. All routers on the market for the last two decades is a firewall. And all firewalls that I know of are routers. Since the late 1990s, while a router and firewall are different functions and aspects, all real world products are always both. So those terms are actually interchangeable unless you are discussing the functionality.
I know. Hence my question.
I suspect this thread is spiraling. As surprising as it may be, I'm really not an idiot.
I don't understand the question, what prompted it?
-
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
Ok, so perhaps the discussion should be...which ports would you blanket block?
- That's it. And it is blocked on every network I have ever had access to the core router of.
You wouldn't want to force DNS at least, too? I'm liking the idea that DNS requests must be made by my DCs. Maybe it's not necessary.
Are there cases for that? Okay. But you already control that in other ways. So I'm unclear what benefit you think that this will provide since you are talking about malware, not your users. Does malware looking things up on your DC provide some value to you?
You cannot force client DNS 100% of the time to be what you want in a BYOD environment. If DNS control is a desire, blocking DNS at the router is the simpler method.
It is unrelated to the blanket blocking discussion as it is a decision the business needs to decide if they need to make or not.
What's the difference between blocking DNS at the router vs firewall? The idea being only permitted DNS servers would be allowed to perform DNS requests to the outside world. Everything on the inside would need to use the on premis DNS servers (aka our DCs).
RIght, if you allow unmanaged devices onto your network, then it could make sense to use LAN security to control access to DNS. But I'd ask.. why do you let uncontrolled devices onto your network?
Basically how I see this is an attempt at LAN based security, while also allowing skipping LAN management for the worst of both worlds mixed together.
Where did I say I let unmanaged devices onto my network? Any non-organization owned device is limited to our guest WLAN which is completely siloed from the rest of our network. The two never cross with exception of using the same physical network (different VLANs, NAT IPs, etc.). On our guest WLAN I couldn't care less...go to town do whatever you want with DNS.
-
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
What's the difference between blocking DNS at the router vs firewall?
Those are the same thing. All routers on the market for the last two decades is a firewall. And all firewalls that I know of are routers. Since the late 1990s, while a router and firewall are different functions and aspects, all real world products are always both. So those terms are actually interchangeable unless you are discussing the functionality.
I know. Hence my question.
I suspect this thread is spiraling. As surprising as it may be, I'm really not an idiot.
I don't understand the question, what prompted it?
This whole discussion has been about allowing/blocking outbound traffic at the firewall and it was mentioned that blocking at the "router" would be better. This is what prompted my question.
-
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
Ok, so perhaps the discussion should be...which ports would you blanket block?
- That's it. And it is blocked on every network I have ever had access to the core router of.
You wouldn't want to force DNS at least, too? I'm liking the idea that DNS requests must be made by my DCs. Maybe it's not necessary.
Are there cases for that? Okay. But you already control that in other ways. So I'm unclear what benefit you think that this will provide since you are talking about malware, not your users. Does malware looking things up on your DC provide some value to you?
You cannot force client DNS 100% of the time to be what you want in a BYOD environment. If DNS control is a desire, blocking DNS at the router is the simpler method.
It is unrelated to the blanket blocking discussion as it is a decision the business needs to decide if they need to make or not.
What's the difference between blocking DNS at the router vs firewall? The idea being only permitted DNS servers would be allowed to perform DNS requests to the outside world. Everything on the inside would need to use the on premis DNS servers (aka our DCs).
RIght, if you allow unmanaged devices onto your network, then it could make sense to use LAN security to control access to DNS. But I'd ask.. why do you let uncontrolled devices onto your network?
Basically how I see this is an attempt at LAN based security, while also allowing skipping LAN management for the worst of both worlds mixed together.
Where did I say I let unmanaged devices onto my network?
That was the reason that Jared suggested for why you'd want to block DNS POrt 53. If you don't have unmanaged things on your network, what would blocking it get for you? It only makes sense if you have unmanaged things on the network.
-
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
What's the difference between blocking DNS at the router vs firewall?
Those are the same thing. All routers on the market for the last two decades is a firewall. And all firewalls that I know of are routers. Since the late 1990s, while a router and firewall are different functions and aspects, all real world products are always both. So those terms are actually interchangeable unless you are discussing the functionality.
I know. Hence my question.
I suspect this thread is spiraling. As surprising as it may be, I'm really not an idiot.
I don't understand the question, what prompted it?
This whole discussion has been about allowing/blocking outbound traffic at the firewall and it was mentioned that blocking at the "router" would be better. This is what prompted my question.
Who said that the router would be better? Remember, router = firewall. Jared was talking about the edge case of you allowing unmanaged devices onto your network and in that case, it could be beneficial to block DNS on the router/firewall. But otherwise, why would you block it there rather than just setting the DNS correctly on the devices that you manage? That way you have the flexibility to not have to manage DNS access for new DCs, moving DCs, emeregencies, etc.
-
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
Ok, so perhaps the discussion should be...which ports would you blanket block?
- That's it. And it is blocked on every network I have ever had access to the core router of.
You wouldn't want to force DNS at least, too? I'm liking the idea that DNS requests must be made by my DCs. Maybe it's not necessary.
Are there cases for that? Okay. But you already control that in other ways. So I'm unclear what benefit you think that this will provide since you are talking about malware, not your users. Does malware looking things up on your DC provide some value to you?
You cannot force client DNS 100% of the time to be what you want in a BYOD environment. If DNS control is a desire, blocking DNS at the router is the simpler method.
It is unrelated to the blanket blocking discussion as it is a decision the business needs to decide if they need to make or not.
What's the difference between blocking DNS at the router vs firewall? The idea being only permitted DNS servers would be allowed to perform DNS requests to the outside world. Everything on the inside would need to use the on premis DNS servers (aka our DCs).
RIght, if you allow unmanaged devices onto your network, then it could make sense to use LAN security to control access to DNS. But I'd ask.. why do you let uncontrolled devices onto your network?
Basically how I see this is an attempt at LAN based security, while also allowing skipping LAN management for the worst of both worlds mixed together.
Where did I say I let unmanaged devices onto my network?
That was the reason that Jared suggested for why you'd want to block DNS POrt 53. If you don't have unmanaged things on your network, what would blocking it get for you? It only makes sense if you have unmanaged things on the network.
It would force any prospective clients on the network to only be able to use my DNS servers. Sure, everything on the (non-guest) network is managed, and I do my best to keep them all clean, but things happen and I know I'm not the worlds perfect sysadmin.
I guess it's dumb after all.
-
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
Ok, so perhaps the discussion should be...which ports would you blanket block?
- That's it. And it is blocked on every network I have ever had access to the core router of.
You wouldn't want to force DNS at least, too? I'm liking the idea that DNS requests must be made by my DCs. Maybe it's not necessary.
Are there cases for that? Okay. But you already control that in other ways. So I'm unclear what benefit you think that this will provide since you are talking about malware, not your users. Does malware looking things up on your DC provide some value to you?
You cannot force client DNS 100% of the time to be what you want in a BYOD environment. If DNS control is a desire, blocking DNS at the router is the simpler method.
It is unrelated to the blanket blocking discussion as it is a decision the business needs to decide if they need to make or not.
What's the difference between blocking DNS at the router vs firewall? The idea being only permitted DNS servers would be allowed to perform DNS requests to the outside world. Everything on the inside would need to use the on premis DNS servers (aka our DCs).
RIght, if you allow unmanaged devices onto your network, then it could make sense to use LAN security to control access to DNS. But I'd ask.. why do you let uncontrolled devices onto your network?
Basically how I see this is an attempt at LAN based security, while also allowing skipping LAN management for the worst of both worlds mixed together.
Where did I say I let unmanaged devices onto my network?
That was the reason that Jared suggested for why you'd want to block DNS POrt 53. If you don't have unmanaged things on your network, what would blocking it get for you? It only makes sense if you have unmanaged things on the network.
It would force any prospective clients on the network to only be able to use my DNS servers. Sure, everything on the (non-guest) network is managed, and I do my best to keep them all clean, but things happen and I know I'm not the worlds perfect sysadmin.
I guess it's dumb after all.
It would force them not to use Google or whatever. But it would not make them point to your AD. So it would break their access. Which might be what you want, but I'd guess not.
-
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
Ok, so perhaps the discussion should be...which ports would you blanket block?
- That's it. And it is blocked on every network I have ever had access to the core router of.
You wouldn't want to force DNS at least, too? I'm liking the idea that DNS requests must be made by my DCs. Maybe it's not necessary.
Are there cases for that? Okay. But you already control that in other ways. So I'm unclear what benefit you think that this will provide since you are talking about malware, not your users. Does malware looking things up on your DC provide some value to you?
You cannot force client DNS 100% of the time to be what you want in a BYOD environment. If DNS control is a desire, blocking DNS at the router is the simpler method.
It is unrelated to the blanket blocking discussion as it is a decision the business needs to decide if they need to make or not.
What's the difference between blocking DNS at the router vs firewall? The idea being only permitted DNS servers would be allowed to perform DNS requests to the outside world. Everything on the inside would need to use the on premis DNS servers (aka our DCs).
RIght, if you allow unmanaged devices onto your network, then it could make sense to use LAN security to control access to DNS. But I'd ask.. why do you let uncontrolled devices onto your network?
Basically how I see this is an attempt at LAN based security, while also allowing skipping LAN management for the worst of both worlds mixed together.
Where did I say I let unmanaged devices onto my network?
That was the reason that Jared suggested for why you'd want to block DNS POrt 53. If you don't have unmanaged things on your network, what would blocking it get for you? It only makes sense if you have unmanaged things on the network.
It would force any prospective clients on the network to only be able to use my DNS servers. Sure, everything on the (non-guest) network is managed, and I do my best to keep them all clean, but things happen and I know I'm not the worlds perfect sysadmin.
I guess it's dumb after all.
It would force them not to use Google or whatever. But it would not make them point to your AD. So it would break their access. Which might be what you want, but I'd guess not.
Yes, that'd be what I want. If DNS on a given host is ill-configured, it doesn't work. Exactly the behavior I'd expect.
-
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
Ok, so perhaps the discussion should be...which ports would you blanket block?
- That's it. And it is blocked on every network I have ever had access to the core router of.
You wouldn't want to force DNS at least, too? I'm liking the idea that DNS requests must be made by my DCs. Maybe it's not necessary.
Are there cases for that? Okay. But you already control that in other ways. So I'm unclear what benefit you think that this will provide since you are talking about malware, not your users. Does malware looking things up on your DC provide some value to you?
You cannot force client DNS 100% of the time to be what you want in a BYOD environment. If DNS control is a desire, blocking DNS at the router is the simpler method.
It is unrelated to the blanket blocking discussion as it is a decision the business needs to decide if they need to make or not.
What's the difference between blocking DNS at the router vs firewall? The idea being only permitted DNS servers would be allowed to perform DNS requests to the outside world. Everything on the inside would need to use the on premis DNS servers (aka our DCs).
RIght, if you allow unmanaged devices onto your network, then it could make sense to use LAN security to control access to DNS. But I'd ask.. why do you let uncontrolled devices onto your network?
Basically how I see this is an attempt at LAN based security, while also allowing skipping LAN management for the worst of both worlds mixed together.
Where did I say I let unmanaged devices onto my network?
That was the reason that Jared suggested for why you'd want to block DNS POrt 53. If you don't have unmanaged things on your network, what would blocking it get for you? It only makes sense if you have unmanaged things on the network.
It would force any prospective clients on the network to only be able to use my DNS servers. Sure, everything on the (non-guest) network is managed, and I do my best to keep them all clean, but things happen and I know I'm not the worlds perfect sysadmin.
I guess it's dumb after all.
It would force them not to use Google or whatever. But it would not make them point to your AD. So it would break their access. Which might be what you want, but I'd guess not.
Yes, that'd be what I want. If DNS on a given host is ill-configured, it doesn't work. Exactly the behavior I'd expect.
Expect, but want? Why do you want that? I'd rather fail soft than fail hard. If DNS doesn't work properly, it's an accident. If it is blocked and they can't work at all, it's not an accident any more and IT induced a problem. There are cases where that's preferable, but I'd wager that they are extremely rare. What's your benefit from forcing a more dramatic failure?
-
Maybe do some role play... what is the use case where you end up with misconfigured DNS and then want to the person or system with that issue to really go offline completely? Like not just losing some things, but losing patching and monitoring too.
-
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
Ok, so perhaps the discussion should be...which ports would you blanket block?
- That's it. And it is blocked on every network I have ever had access to the core router of.
You wouldn't want to force DNS at least, too? I'm liking the idea that DNS requests must be made by my DCs. Maybe it's not necessary.
Are there cases for that? Okay. But you already control that in other ways. So I'm unclear what benefit you think that this will provide since you are talking about malware, not your users. Does malware looking things up on your DC provide some value to you?
You cannot force client DNS 100% of the time to be what you want in a BYOD environment. If DNS control is a desire, blocking DNS at the router is the simpler method.
It is unrelated to the blanket blocking discussion as it is a decision the business needs to decide if they need to make or not.
What's the difference between blocking DNS at the router vs firewall? The idea being only permitted DNS servers would be allowed to perform DNS requests to the outside world. Everything on the inside would need to use the on premis DNS servers (aka our DCs).
RIght, if you allow unmanaged devices onto your network, then it could make sense to use LAN security to control access to DNS. But I'd ask.. why do you let uncontrolled devices onto your network?
Basically how I see this is an attempt at LAN based security, while also allowing skipping LAN management for the worst of both worlds mixed together.
Where did I say I let unmanaged devices onto my network?
That was the reason that Jared suggested for why you'd want to block DNS POrt 53. If you don't have unmanaged things on your network, what would blocking it get for you? It only makes sense if you have unmanaged things on the network.
It would force any prospective clients on the network to only be able to use my DNS servers. Sure, everything on the (non-guest) network is managed, and I do my best to keep them all clean, but things happen and I know I'm not the worlds perfect sysadmin.
I guess it's dumb after all.
My opinion varies from Scott's a bit in that it is easier to block at the router than to deal with DNS control on all devices, even on controlled devices.
-
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@JaredBusch said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
Ok, so perhaps the discussion should be...which ports would you blanket block?
- That's it. And it is blocked on every network I have ever had access to the core router of.
You wouldn't want to force DNS at least, too? I'm liking the idea that DNS requests must be made by my DCs. Maybe it's not necessary.
Are there cases for that? Okay. But you already control that in other ways. So I'm unclear what benefit you think that this will provide since you are talking about malware, not your users. Does malware looking things up on your DC provide some value to you?
You cannot force client DNS 100% of the time to be what you want in a BYOD environment. If DNS control is a desire, blocking DNS at the router is the simpler method.
It is unrelated to the blanket blocking discussion as it is a decision the business needs to decide if they need to make or not.
What's the difference between blocking DNS at the router vs firewall? The idea being only permitted DNS servers would be allowed to perform DNS requests to the outside world. Everything on the inside would need to use the on premis DNS servers (aka our DCs).
RIght, if you allow unmanaged devices onto your network, then it could make sense to use LAN security to control access to DNS. But I'd ask.. why do you let uncontrolled devices onto your network?
Basically how I see this is an attempt at LAN based security, while also allowing skipping LAN management for the worst of both worlds mixed together.
Where did I say I let unmanaged devices onto my network?
That was the reason that Jared suggested for why you'd want to block DNS POrt 53. If you don't have unmanaged things on your network, what would blocking it get for you? It only makes sense if you have unmanaged things on the network.
It would force any prospective clients on the network to only be able to use my DNS servers. Sure, everything on the (non-guest) network is managed, and I do my best to keep them all clean, but things happen and I know I'm not the worlds perfect sysadmin.
I guess it's dumb after all.
It would force them not to use Google or whatever. But it would not make them point to your AD. So it would break their access. Which might be what you want, but I'd guess not.
Yes, that'd be what I want. If DNS on a given host is ill-configured, it doesn't work. Exactly the behavior I'd expect.
Expect, but want? Why do you want that? I'd rather fail soft than fail hard. If DNS doesn't work properly, it's an accident. If it is blocked and they can't work at all, it's not an accident any more and IT induced a problem. There are cases where that's preferable, but I'd wager that they are extremely rare. What's your benefit from forcing a more dramatic failure?
It would be brought to our attention and we would fix it. A soft failure may remain soft for an indeterminate amount of time.