Firewall Outbound Port Blocking

Due to a recent increase in torrentz and p2p usage on our network, and the current equipment and services available, we have decided that the best way to stop this with out spending money, is to block all unknown ports outbound access on the firewall at our ISP. (currently we have all outbound open)

I need some advice on which ports need to be open for outbound.

We are going to leave the following open with restrictions.  

Port 80 and 443: Allowed only from our web proxy.
Port 21: Open outbound
Port 25: Allowed only from our authorised email servers.

Are there any other critial ports that need consideration. I assume DNS ports need to be open, or would a better option be to allow ALL out from our DC's\DNS servers?

Other inbound services that might need consideration; we have webmail, rpc over http, pptp vpn, blackberry, pop3, imap, sql replication from external. I am not sure if these need corresponding ports open for outbound responses? I might just open all outbound access from the servers hosting these.

Cheers
LVL 2
felixresourcesAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

shubhanshu_jaiswalCommented:
You dont need to open dns port for all the users...you said you have proxy...so you can open dns port for the proxy...even you can open port 21 only for proxy...i hope you would be accessing ftp sites thru web browser...so you have proxy configuration already in all the use machines...rest all the inbound connection you can open according to the requirement.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
zepar303Commented:
Well.. the list of outbound services could be made long
All depending on what type of tools your company really are using.

Easiest advice is to close everything except traffic from your proxy on 80 and 443 (as you proposed). And have a free path to your proxy at 8080 (or the port your proxy responds at). And then give a error page asking the users to contact support if something not listed is tried.

About the services that open inbound ports:
Normally they only open ports they respond to, and as you said it is easier to open outbound on servers, and restrict inbound. (check open service ports with "netstat -ano")


But some ports I use often:

Terminal services 3389
File sharing 445 (UDP 137,138)
MSN 1863
Telnet (eg Putty) 22
...
JordanlcnCommented:
I had the exact same issue when I took over a small office network.  What I did was:

1.  Identify critical workstations and servers.  Stations that still need full access (Boss of course since they write the checks).
2.  Identify the way the network was setup.  Where is the DHCP? What is the DNS? ect...
3.  Setup an Untangle Box in between the Firewall and the network (bridge mode).  (depending on number of users the Untangle Box can just be a desk top with a high end Network card).
4.  Setup Protocol Blocking in Untangle and just block P2P sharing.  Untangle has a way of detecting these protocols.  Since P2P has a knack of port hopping.

Yeah you said at no cost.  Use any of your extra workstations.

The plus side is that there are other ways to hog the network/internet connection.  There is video streaming that is on top of my head.  Not to mention Production Impacting websites like Facebook, myspace, etc.  With the combination of Untangle and OpenDNS you can potentially do away with 90% of these stuff.  All for free except the Untangle Hardware (ordinary PC).
Eric BDirector of Information TechnologyCommented:
umm, if you are using blackberry BES server, you will need 3101 iopen outbound
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.