> I have our IIS 5 server sitting on a private network with > an IP of 10.2.32.20. It is being NAT'd via CheckPoint NG. > I only allow HTTP traffic in to the web server but I allow > the server unrestricted access out from the network. > > 1. Is this a good idea? > > 2. Should I lock down the web server's outbound ports to > prevent Nimda/CodeRed type infections from propigating from > my server?
You should definately lock down your outbound traffic for all systems, especially systems that accessible from outside the network. Consider a very simple example: An attacker compromises your IIS server, installs an SSH client, and then uses your compromised host to launch further attacks. The idea here is to minimize damage. If you system is compromised, you have problems to deal with. If your system is compromised, and used to launch a further attack, you could have law enforcement agents to deal with. > 3. What ports should I allow the server to go out on if any? What do you use your Webserver for? If it is used strictly for serving HTTP, then you should not have to allow much. Although you could probably get away with allowing no outbound traffic, you will probably want to be able to resolve names in your logs, so probably DNS. Have any pages that generate emails? Then you will need to open SMTP. Also keep in mind that you can restrict where the outbound traffic goes -- so even if you decide to open up DNS, you could specify only to your DNS server. If you really want to determine what you have to open, close everything, and see what stops working, or who complains. Otherwise, set up a snifffer for a couple of days to determine that same information with less disruption. Hope this helps, Steve
