--On May 10, 2006 6:22:11 PM -0700 Mark Jayson Alvarez <[EMAIL PROTECTED]> wrote:

I've seen most people allow all outgoing traffic
originating from the firewall itself... Is this really
recommended?? What if the machine have been
compromised and the intruder have installed a program
that let's him access the machine remotely by having
the program itself to initiate the outgoing connection
to him thus defying the incoming connection firewall

Because if the machine has been compromised, it doesn't *matter* what the outgoing ruleset is. Or what anything else is, for that matter.

If I hack your box, one of the first things I'm going to do is install a rootkit. Then I'm going to wipe the logs of any evidence of my entry (but leave them intact otherwise), clean my tracks from the shell history file and remove any other evidence of my presence. "Bypassing" your firewall rules is the least of my worries.

Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas

Reply via email to