Why blindly blocking everything is bad for you

Many administrators blindly block anything that isn’t running on either port 80 (http), 443 (https) or 22 (ssh). Their claim is that nothing good can work any other port. This causes their uses to get frustrated when they want to use anything else that runs on any other port.
I am not talking about P2P or any other ‘evil’ programs which are pretty good at bypassing your restrictio on their own, Skype is one such example, I am talking about for example one of your engineers wanting to get techsupport but has his corporate VPN access blocked as most VPNs require at least a non-80, 443, 22 port to be open.

In such cases (as VPN), the techsupport guy will find a way around your restriction, perhaps using port 443 to tunnel the traffic through, even though its not really SSL going inside there :) . The smart administrator will use a Proxy or a Content Filtering agent to prevent such things, so a smart techsupport guy will tunnel everything via SSH, or even use HTTPS to tunnel the data (there are several solutions that do that).

My point is that, blindly blocking will give you the benefit for stopping the common user, but will frustrate a techsupport guy to to the point that he will find a way to bypass it. I suggest that you ‘give’ the techsupport guy a hand, understand what he needs, and give him that. Its better than him bypassing your restriction.

I am sure the readers have additional examples that can strengthen this point.

  • A. Nonymous

    Or better, block but also *provide a published process* for requesting specific access when tied to legitimate business need.

    Also, security professionals have to understand that no amount of technological measures will solve all problems. Sometimes policy (“Thou shall not bypass the firewall or other network security measures.”) has to suffice — along with management backing of consequences for violating policy.

  • http://prozacville.com David Hagler

    Also, blindly blocking the ports puts you in the position of being in “competition” with other tech savvy people. You never want to be in competition with them. You want them to see you as the good guy, the guy they are working with. If you don’t – whatever bypass they figure out, they’ll make it work on a portable drive, and pass it off to less tech savvy people. If you allow the tech guys a bypass, you are “working with them” they are then on your side. And when asked by others how to get past the firewall, they might not have a real, tested solution -garnering the response “oh, sorry I’ve got special access for bypassing it, and I can’t give you my password, or else I’ll lose my privledges” vs. “Oh hell yeah, f’ that overzealous admin, here’s a great packaged app that I wrote that an idiot can run to get access to a proxy outside the network, you can browse anything on this, even porn at work !”