defense in depth (which includes egress filters) and Network Security Monitoring (NSM). This diary post on isc.sans.org is a good example of why companies need to practice defense in depth. I have spent many years involved with messaging, back in 1995 I didn’t know what SMTP meant, but thanks to a gentleman at then Xerox PARC , the nice folks at what was then Innosoft, Joel from Opus1, and the countless posts on info-PMDF I learned a lot.
Many companies have problems with viruses, and for years I referred to Outlook as “the best virus distribution tool” around. My point being that if the workstations are not allowed to connect to outside servers/services then that stops a lot of stuff in it tracks. For example if a workstation became infected and the malicious software was trying to send out spam and the firewall let it out, then out goes the spam. On the other hand if the firewall rules prevented the workstation from directly talking with SMTP servers outside of the company, then malicious software would have to find a different way. Maybe instead the malicious software would talk with the companies mail server and let it then send the SPAM out. As long as the mail server is setup correctly, i.e. anti-spam/virus for outbound messages as well, then this problem would be stopped or at least slowed. Another thing to do, force the use of secure authentication for all users, regardless of location.
Another trick, rate limiting. TCP/IP connection rate limiting and message rate limiting should be put in place on the messaging server. If an internal machine violates these limits then the machine could be put into a deny all list and an administrator alerted.
I find is surprising that a company, in this day and age, would not have at least have egress filters on their firewall. I can understand companies not having NSM in place, but I hope to change that as I build out our mananged services offering to include NSM.
