Ok, so the consensus so far for a good baseline is:
TCP 80/443 for all
TCP & UDP 53 for DNS servers
UDP 123 for NTP servers
Anything I'm missing? Any others to consider?
Ok, so the consensus so far for a good baseline is:
TCP 80/443 for all
TCP & UDP 53 for DNS servers
UDP 123 for NTP servers
Anything I'm missing? Any others to consider?
@anthonyh said in Firewalls & Restricting Outbound Traffic:
Well, I guess I did invite the conversation myself by asking if I should rely on UTM features instead of limiting outbound traffic. D'oh!
Fixed!
Well, I guess I did invite the conversation myself by asking if I should rely on UTM features instead of limiting outbound traffic. D'oh!
Well, for what it's worth, I was handed the Fortigates and told to set them up as our new firewalls. Soo, can we focus on my OP rather than a debate on UTMs or not, pretty please?
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
Or..should I trust the UTM features of the firewall(s) and not worry about it?
Or neither, Just turn them off
But I thought "NGFW's" were the thing now? I upgrade and then disable all the fancy UTM features? I'm hoping they do more good than harm. lol
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@EddieJennings said in Firewalls & Restricting Outbound Traffic:
@scottalanmiller said in Firewalls & Restricting Outbound Traffic:
@anthonyh said in Firewalls & Restricting Outbound Traffic:
@EddieJennings Yeah. I'm thinking the common ports for mail will be included in our "base set" of what's allowed out. SMTP(S), IMAP(S), POP3(S)...whatever is required for clients to send/receive messages. Our mail server is in the DMZ and I've already got that squared away between the various zones, so this would simply be for non-organization email access.
Normally you specifically block those, not allow them. Why do you need outbound email protocol(s) or ports from your clients?
Perhaps I'm just having a brain fart. Let's say you send an E-mail from your mail client. Mail client connects to a mail server (for this case, assume it's not Exchange). Let's say this server is off site. Does this client not use SMTP to talk to this server, which would mean, your firewall would need to allow outbound SMTP traffic?
Yes, that would use SMTP in many cases. That's if you are using a general case client (Thunderbird, Geary, etc.) and if you are using an email host that uses the normal ports for internal traffic. Major mail systems typically use HTTPS, ActiveSync, a web page or custom ports for that. There are exceptions, but of business class systems, it's pretty much unheard of to use port 25 internally.
If anything the goal would be to only allow port 587 as this is the SMTP submission port. Port 25 should be server to server only and not needed. Possibly allow 465 for backwards compatibility, but not sure.
@scottalanmiller It's mostly a convenience thing for employees who BYOD and have personal email accounts configured on their devices. However, in most cases these devices will be connected to our guest wireless and completely siloed from our internal network. So it may not be needed. I'm still in the brainstorming phase here which is why I posted.
Hmm. I've been trying to convince my boss to consider thin clients for our users and I think this argument may help me in at least getting him to consider it.
@EddieJennings Yeah. I'm thinking the common ports for mail will be included in our "base set" of what's allowed out. SMTP(S), IMAP(S), POP3(S)...whatever is required for clients to send/receive messages. Our mail server is in the DMZ and I've already got that squared away between the various zones, so this would simply be for non-organization email access.
I'm working on setting up new firewalls for my organization. In the past, I've never restricted outbound traffic from our network, just what can come in. I'm thinking it may be time to stop taking the "easy way" and start restricting outbound traffic.
For those of you who do this, what ports do you allow outbound? Obviously 80/443, but what else? Where would you recommend starting? My theory is that I'd come up with a baseline of ports that all end-points would need and then go from there as needed (adding to the "global ports" and/or adding specific exceptions if the need is not common).
Thoughts?
@DustinB3403 said in HP Laptops Found with Keylogger Built Into Audio Driver:
@guyinpv that's probably not to far from the truth.
Yep. As I continue through my IT career, I learn more and more every day that the folks who seem like true industry "experts" rarely do it any better than anyone else.
@scottalanmiller said in HP Laptops Found with Keylogger Built Into Audio Driver:
I'm surprised that every vendor isn't being checked, it could be everywhere, in theory.
Agreed. I can't imagine this is limited to only HP. They aren't the only ones using Conexant for audio.
@scottalanmiller said in MSSQL tempdb - your location:
@anthonyh said in MSSQL tempdb - your location:
From what I've been reading regarding TempDB in a RAM disk is that it's not recommended these days. The way the MSSQL engine works (if configured properly) is it uses all the RAM of the server (gets complicated after 64 GB RAM if you're using the Standard edition, but even then it can use more). So, in theory, TempDB should be in RAM as much as the server allows. It will only "spill" to disk if there is not enough RAM to complete whatever TempDB operation is happening at the time.
From what I'm reading, the recommendation these days is to put TempDB on a local SSD and/or beef up the amount of RAM the MSSQL server has.
https://www.brentozar.com/archive/2014/12/sql-server-2012-standard-edition-max-server-memory-mb/
Good to know. Basically.... RAM disk but managed by SQL Server, not by you.
That's how I understand it. The key is configuring the MSSQL service to consume the appropriate amount of RAM. I'm trying to dig up the "rule of thumb" I used when configuring our production servers. I believe it was Total RAM - 10 GB. However this was based on our prod VMs having 96 GB RAM assigned to them.
I also enabled "lock pages in memory" which helped performance wise as well:
An official MS article: https://support.microsoft.com/en-us/help/2659143/how-to-enable-the-locked-pages-feature-in-sql-server-2012
A better article: https://sqlserverperformance.wordpress.com/2011/02/14/sql-server-and-the-lock-pages-in-memory-right-in-windows-server/
This should prevent the OS from paging out SQL data, so less swapping will occur. You don't want to do this if you have not configured the memory limit of the MSSQL service as by default it's set to consume everything.
I should disclaim that I do not consider myself a SQL expert in any way and all my experience is with MSSQL 2012 under Server 2012 R2. Soo your experience may vary. I'd like to think I've got decent Google-Fu and an ability to eventually figure out which buttons to push in which order.
From what I've been reading regarding TempDB in a RAM disk is that it's not recommended these days. The way the MSSQL engine works (if configured properly) is it uses all the RAM of the server (gets complicated after 64 GB RAM if you're using the Standard edition, but even then it can use more). So, in theory, TempDB should be in RAM as much as the server allows. It will only "spill" to disk if there is not enough RAM to complete whatever TempDB operation is happening at the time.
From what I'm reading, the recommendation these days is to put TempDB on a local SSD and/or beef up the amount of RAM the MSSQL server has.
https://www.brentozar.com/archive/2014/12/sql-server-2012-standard-edition-max-server-memory-mb/
@travisdh1 said in HP Laptops Found with Keylogger Built Into Audio Driver:
@anthonyh said in HP Laptops Found with Keylogger Built Into Audio Driver:
@DustinB3403 said in HP Laptops Found with Keylogger Built Into Audio Driver:
@momurda It would take about a single day for the average computer to brute force that password.
What if the authentication back-end implemented a lockout or throttling policy? Like after X attempts the account is locked out and/or authentication responses are delayed by X time?
That's great so long as it's not an offline attack. IE: Do you know who's seen your salt?
That makes sense.
@DustinB3403 said in HP Laptops Found with Keylogger Built Into Audio Driver:
@momurda It would take about a single day for the average computer to brute force that password.
What if the authentication back-end implemented a lockout or throttling policy? Like after X attempts the account is locked out and/or authentication responses are delayed by X time?
@NetworkNerd said in Unknown ESET Uninstall Password:
@scottalanmiller said in Unknown ESET Uninstall Password:
I've had ESET do remote kills before. They keep a secret kill switch, you could call them and ask them to do it for you.
I assume since these are individual workstations not centrally managed it would have to be done per workstation.
I don't think it would hurt to reach out to them. Worst they say is that you need to follow the KB article in your original post and you burned some time. If I recall, their hold times are not too bad.
@NetworkNerd ORLY? I didn't visit the link. That serious, eh? I'd try giving their support a call and see what they say. We use ESET where I work and their support when I've needed it has been great.
@matteo-nunziati said in Fitness and Weightloss:
@scottalanmiller said in Fitness and Weightloss:
I switched to using a standing desk tonight. So maybe this will help me stay more active all throughout the day in general. The only seat that I have for this desk is broken, so no way to sit down at all right now.
here a question for everyone using a standing desk: I've been an automation guy for almost 10 years and I've coded on a number of different unhealty places/positions. Including stay stand up for 8+ hours coding.
while standing up is better than twist yourself under some strange position (like crouch on your knees for 2+ hours) , how can you deal with your concentration and productivity while standing up all the time: it was really energy consuming to me...
Hopefully I can answer this question in a couple months. We're in the process of moving our main office (where IT resides) to a new location. Management decided to purchase adjustable desks for everyone. I'm curious to see how often I stand vs sit.