CAcert System Admins discussion list

[Ian G <iang AT cacert.org>]

On 8/07/12 14:06 PM, Mario Lipinski wrote:
> Am 07.07.2012 16:48, schrieb Jan Dittberner:
> > On Sat, Jul 07, 2012 at 03:54:49PM -0700, Mario Lipinski wrote:
> > > What do you think about allowing all outbound traffic for some or all
> > > CAcert infrastructure hosts?
> > In my opinion outbound traffic is ok, maybe we should restrict it to
> > some ports (http (80)/https (443)/git (9418)) though. We can ask
> > sysadmins if they have other ports that might be useful too.
> What is the gain in security by limiting the outbound traffic by ports?

just my 2c:

Malware is used to the paradigm of blocking inwards traffic so when 
installed it jumps out and picks up control instructions from some 
random server somewhere using some benign instruction.  As GET on 443 is 
likely enabled, it would do that sort of thing.  A way to shut that down 
is stopping outbound traffic coz we know the apps we install don't need it.

What would be conceptually nicer is if processes run by the sysadm could 
be allowed out, so that appget could work.  I suppose the way to do this 
is to have an outbound proxy hop machine that the sysadms can connect to 
and turn on, then set appget to point at the proxy?

All of which would be less of an issue if the infra machines were not 
close by the critical machines ;-) but also given our position as 
security providers, we want to get the infra side nice and secure as 
well.  When the public hears that CAcert has been breached, it will 
assume that the security side is breached, or is equally weak. The 
public is unforgiving ....

> OK, a root kit might not be able to be controlled e.g. via IRC. But some
> malware may still be able to load code via HTTP. And also the mentioned
> control channels could also work via port 80 these days?
> If we want to maintain a port limitation, then we should add FTP (20, 21).
>
> Mario


iang