On Sunday, 04-08-2024 at 16:15 john doe wrote:
> On 8/4/24 06:48, jeremy ardley wrote:
> >
> > On 4/08/2024 12:26 pm, George at Clug wrote:
> >>
> >> If I go to the local coffee shop and connect my laptop to their WiFi,
> >> which incoming and now outgoing ports should I have blocked to ensure
> >> that no nefarious people are able to communicate with my laptop
> >
> > The rules for public networks are very simple.
> >
> > - Allow all outgoing traffic
> >
>
> On a laptop, inbound connections should be restricted unless you want
> services to be accessible on your laptop by way of FWing and and
> securing the services.
>
> Outbound connections is up to you.
Thanks, John,
I do like the idea of blocking all outbound connections, and only opening ports
that are required for whatever services I want to use.
For servers I often do, but for workstations, sadly I am often lazy and default
to allowing all outgoing traffic.
When asked to explain why I want to block outgoing connections, I do find it
difficult to justify but here are a few thoughts:
1) I like the principle of making this as hard as possible for the 'bad' guys.
If they break in, they might as well not have it easy. As analogy, I can have a
gate at the front of my house, then I have a dead locked door (not just a lock
from the outside). then if I had valuables, they would be in a steel safe, and
the safe would be bolted to the concrete floor. All of this will not stop the
determined, but why let it be easy.
2) Staying with analogies, I like having double locked doors. If someone
breaks in through the window, they have to exit the same way, and not just walk
out through the front/back door, making it bit more difficult to carry
everything out. In IT terms, is someone has gained access to my server via a
service level exploit, they (hopefully) only have that service's level of
access. If the local network is blocked, port scanning is going to be more
challenging, as would a number of other network based attacks.
3) I believe a number of exploits, once gain a small footprint, then create a
listening service to allow remote access to the system. If this cannot be
achieved, then again, I have made their lives harder.
The main challenge as I see it is to ensure no 'bad' guys gain root access, but
as above, until then, make their lives hard as possible to do anything by
limiting and locking down anything you can while still allowing the system
achieve its intended purpose.
Any comments on the above thoughts?
George.
>
> --
> John Doe
>
>
