msbonniemc wrote:
How do you determine what traffic is traversing?
Most firewalls have a view into a list of active network connections. From which local host and port to which remote host and port, or which remote host and port to which local host and port. Mid- and upper-end firewalls will have displays of this data, and will have controls and monitoring.
As an example of an issue that a firewall would want to detect and probably block and log, an outbound connection from TCP port 25 would be an indication of serious issues with that client, if no host on your local network should be running a mail server.
Some folks will go further and run intrusion detection on the firewall, which detects traffic connecting to suspected or known-bad hosts. Past the immediately weird stuff like TCP port 25, and other similar obvious network shenanigans, the next favorite for some folks is adding host and port lists for malware, and these are typically and necessarily very dynamic, as malware hosting is intentionally very dynamic. And for malware that intentionally uses the ephemeral port range or ilk, blending right in.
Higher security environments can go a few steps further and provide a list of allowed hosts and connections from each local client, and will block all others. Blocking all outbound traffic, except that expected.
