Comment by 9dev
5 days ago
I definitely block outgoing ports on all our servers by default; Established connections, HTTP(S), DNS, NTP, plus infra-specific rules. There is really no legitimate reason to connect to anything else. The benefit is defence against exfiltration.
If you're allowing direct https out, how are you stopping exfiltration?
Maybe https is routed through a monitoring proxy, but in the situation of allowing ssh the ssh wouldn't be going though one. So I still don't see the point of restricting outgoing ports on a machine that's allowed to ssh out.
You can't, reasonably. It's just a heuristic against many exploits using non-standard ports to avoid detection by proxies or traffic inspection utilities.
You can, but you need additional components to do it, like an SSH session broker (i.e. a gateway or proxy). Some of these, like SSH Communications' PrivX suite, can record all traffic running through the proxy. It's not all that different from HTTPS security and auditing proxies.