Outbound ports to allow through firewall - core requirements

Posted by dunxd on Server Fault See other posts from Server Fault or by dunxd
Published on 2011-01-11T12:20:17Z Indexed on 2011/01/11 13:55 UTC
Read the original article Hit count: 203

Filed under:
|
|
|
|

This question was asked before, but in a rather general way. I'm asking more specifically based on my current requirements.

We have a number of remote offices made up of a bunch of PCs and an ASA 5505 which is used as firewall and VPN termination point. In the offices we share the internet connection with one or more other organisations over whom we have very little control, asides from the config on the ASAs.

For a bunch of reasons I'd like to lock down these ASA 5505s to only allow outbound traffic to ports used by applications we know we need. I'm putting a standard config to roll out to all the ASAs, and if we need to open up ports for the other orgs we can do it on request. But I want to leave open the most commonly required ports so we can get up and running without waiting on other folks technical staff to get back.

I plan to allow the following TCP ports to support email and web access, which I know everyone will need:

  • POP3 (110 and 995)
  • HTTP (80 and 443)
  • IMAP4 (143 and 993)
  • SMTP (25 and and 465)

The question really is, what other ports do I need to leave open to allow for "normal" working? I've seen UDP port 53 for DNS as one. Are there any others that would be worth opening up?

Just to note - I'll also be setting up monitoring systems to keep an eye on the ports we do allow. Any of the above could be misused of course. We'll also back all this up with signed agreements. But I'm aiming for a technical solutions where I don't have to start out with the full requirements of everyone we share connections with.

See also: outbound ports that are always open

© Server Fault or respective owner

Related posts about networking

Related posts about security