Outbound ports to allow through firewall - core requirements
If I only want to allow HTTP, POP3, IMAP4, SMTP functionality for outbound traffic (i.e. no servers hosted at site) are there any additional ports that need to be open to allow those functions to work (e.g. DNS UDP ports)?
See also: outbound ports that are always open
If some of the answers below seem weird, please see the edits of this post - I removed a lot of detail that seemed to solicit answers to different questions altogether.
If you "...share the internet connection with one or more other organisations over whom we have very little control, asides from the config on the ASAs.", don't you think you should at least ask them for specific needs they may have? I'm not sure what your setup is, but I've been in a "shared" internet connection situation before, and you will want to consult with them first rather than arbitrarily blocking everything except for ports that your org needs or else you could have a lawsuit on your hands if you block a business-required service for one of the other orgs just because you didn't feel like asking them first...
EDIT due to totally revised question
- HTTP - TCP:80
- HTTPS- TCP:443
- POP3 - TCP:110 (secure POP is typically TCP:995)
- IMAP4- TCP:143 (secure IMAP is typically TCP:993)
- SMTP - TCP:25 (secure SMTP is typically TCP:465)
- DNS - UDP:53 (external lookups)
These services could be on other ports, but these are the standard ports. Some have mentioned other HTTP ports in the 8000 range which is possible, but public sites typically do not do this. Again, you should monitor the traffic and see if other ports are necessary before opening them up.
If you have established that these ports are indeed used by your company (you have users connecting to external mail servers over POP3, IMAP, and sending mail directly over the SMTP port) you should probably take note of which external IPs they connect to and limit the ACLs to only those IPs on the firewall. This will limit somewhat your exposure if any of your users ever gets infected with a mail worm or other similar virus.
For DNS lookups, depending on your setup, only your internal DNS servers (AD DCs if you are using AD) would be doing any lookups and your clients would use them as their DNS servers. You would typically also know which external DNS servers they are using and limit their outbound lookups to just those external DNS servers for forwarding. If your clients are doing lookups themselves, then again you would probably know which external DNS servers they are going to and limit their outbound connection to just those external servers.
In all of these ACL setups all you need is to allow the port of the service out. Any stateful firewall (I believe you had mentioned you had ASA 5505s? prior to the edit) will recognize a response from the outside and let it in as an established session (and refuse connections that have no established session).
I recently implemented this in an environment that I consult in. I took a week and logged all egress traffic so that I first got a good idea of what were the most used ports. Any high use ports that was out of the ordinary (Steam ports for eg), I worked with management and made sure that they were or were not needed for business. I also checked to make sure there was not any proprietary software that the organization ran that was communicating on non-standard ports.
Finally, I implemented the blocking changes, and monitored for the next couple weeks.
All told, this process took me about a month, but because I did the prep work ahead of time, it went very smoothly.
-Josh
It's not uncommon to find webservers running on port 8080 or 8000 or 8888 so you might want to include those.
port 25 smtp but if you have a relay then just allow the relay. messengers - msn, gtalk etc.
setup logging and watch what is blocked as well, there may be somebody using a different port.