--On May 10, 2006 6:22:11 PM -0700 Mark Jayson Alvarez <[EMAIL PROTECTED]>
wrote:
I've seen most people allow all outgoing traffic
originating from the firewall itself... Is this really
recommended?? What if the machine have been
compromised and the intruder have installed a program
that let's him access the machine remotely by having
the program itself to initiate the outgoing connection
to him thus defying the incoming connection firewall
ruleset...
Because if the machine has been compromised, it doesn't *matter* what the
outgoing ruleset is. Or what anything else is, for that matter.
If I hack your box, one of the first things I'm going to do is install a
rootkit. Then I'm going to wipe the logs of any evidence of my entry (but
leave them intact otherwise), clean my tracks from the shell history file
and remove any other evidence of my presence. "Bypassing" your firewall
rules is the least of my worries.
Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
