Does it make sense to block outgoing traffic in Mikrotik?

E

Evdokim2020-01-15 23:58:40

System administration

Evdokim, 2020-01-15 23:58:40

Does it make sense to block all outgoing traffic (which goes to the Internet, src-nat), leaving only those ports that are allowed? Does this add "security" to the users of the organization and Mikrotik itself?
The system administrator in one organization has introduced a similar "strange" practice and now you have to periodically ask to add some ports to the exceptions. For example, jabber clients that run not only on port 443, but are also affected by 3478-3481, require such exceptions.
I asked him, he says, supposedly adds "security". What "security" can there be if you can use forwarders, proxies and vpn, which easily allow you to bypass these "restrictions". Moreover, the vpn server can be set up on the same 443 or 80 port, It will not block the 443 or 890 port,
Does this practice make sense?

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

A

Artem @Jump, 2020-01-16
Tag

Does it make sense to block outgoing traffic in Mikrotik?

This should be asked from the administrator of a particular network. Who knows - there is a sense in such an action or not?

Does this add "security" to the users of the organization and Mikrotik itself?

What is security?
Any customization is done for a specific purpose.
If the setting is done without a specific goal, according to the principle "adds security" - then the setting was done by an idiot.

G

gav_cat, 2020-01-16
@gav_cat

Good time!
I think it's necessary.
In the ip network, Chinese-made cameras are constantly breaking somewhere in China - possibly in their own cloud.
Many miners will fall off too, most likely even all.
Torrents.
I found a computer on which the user installed mediaget, which just poured a lot of traffic.

D

dollar, 2020-01-16
@dollar

There is meaning, but it is not enough .
In theory, and in practice, a virus may not be able to use proxies or VPNs, but stupidly knock on its hardcoded port 12345 (any number), which, fortunately, is blocked.
Another question is, why the hell did the virus penetrate at all? That is, having penetrated once, the virus will be able to penetrate a second time, only with a normal upgrade. And why can't a virus knock on port 80?
But the fact remains, primitive ill-conceived viruses are still found. And in general, the "security" from such a blocking increases. But, IMHO, hemorrhagic does not justify the goal, if it is not a bank. And in the case of a bank, a white list of addresses will not hurt either.

N

nApoBo3, 2020-01-16
@nApoBo3

"Security" is insignificant, but adds.
It also improves handling a bit.
Plus, you need to understand that the admin, if this is not a whole team of pros, cannot be completely sure of his competencies across the entire spectrum of technologies and will rely more on those technologies that he understands better. He probably feels more confident in mikrotik.
Suppose all ports are open and the user uses a conditional jabber, something bad happens through it. Absolutely no matter what, but the management is not pretty, who is bad, admin.
Let's say the admin blocked everything with available methods, and the user bypassed these methods and something happened, something is not good, who is bad, the user. And when asked why it couldn’t be blocked, the answer was that even the state couldn’t block telegrams, so much for us.