Using IDS to Evaluate Outbound Port Usage for Security and Reduction of IDS Alerts A Case Study

Finding opinions on the Internet about securing or blocking ports at a firewall or on other devises is not hard. Just doing a query on your favorite search engine will result in many examples to choose from. Invariably, the consensus that you will find again and again is that you should close all ports that you do not need. For the most part, the attention is drawn to inbound access to your internal network. Less can be found on outbound port blocking. Unfortunately, for the average Network Administrator that is new to hands on security, information about port blocking on the Internet can seem somewhat gray, and in enormous quantity. Taking advice about closing this outbound port, or that outbound port from someone you don't know, causes hesitation, or most likely, no action at al l from the Administrator. With all the responsibility that the average Network Administrator has, 'experimentation' at the network border is probably not on the job description. Using a flexible Intrusion Detection System can take the guesswork out of the equation. 'Knowing' what traffic is leaving your network is like turning on the light where there was once darkness. This paper will give examples of what I found in our corporate network and what I did about it.