Egress Filtering

Author(s):  
Eric Rand,

You are probably already aware that filtering inbound traffic at the firewall is an essential part of network security - but what you may not know is that filtering the outbound traffic, "egress filtering," is also very important.

Egress filtering is a little more subtle than traditional ingress blocking; the goal is not so much to stop attacks directly but to deny attackers the ability to learn things about your network, and also to mitigate the effects of any attacks that do get through your other defenses.

It's a part of what we refer to as 'defense in depth' - layering defenses in your organization so that each of them covers potential gaps in the other. If an attacker is able to bypass one defense, then the other will catch them.

In the case of egress filtering, it counteracts situations when the attacker is either seeking to sniff internal traffic that may be leaking outside the gateway - for instance, netbios traffic, that contains useful information as to how the network is structured and what systems are active on it - or to provide a block against [and potentially notification of] so-called C2 traffic generated when an attacker has succeeded in infecting a system.

As an example, a former client had discovered that a system on their network had become infected with malware; we found this via their Alienvault installation noticing suspicious DNS requests via NIDS. The system was receiving C2 - 'command and control' - instructions from a foreign country, using a DNS server sited in that country.

To prevent that from being an issue in the future, we advised them to enable egress filtering for DNS requests - only their domain controller would be allowed to make DNS requests outside of the network; every other system would have to request DNS from the domain controller [which would forward external requests on their behalf].

With this measure implemented, even if another system became infected with the same kind of malware, the malware would not be able to 'phone home' - its request to the DNS server outside of the network would be blocked, and the attempt would be logged by the firewall and sent to the Alienvault system.

This is just one example of the benefits that you can achieve with egress filtering. It does require a bit of work to set up - you will need to identify the services within your organization that are specifically authorized to communicate outside of the firewall to the internet at large, and which of your systems are authorized to use those services, in order to do this effectively.

However, once egress filtering is put in place, your network will be far safer, and a much harder target for most attackers. If you need assistance in implementing this in your organization, please feel free to talk with any of us, and we will be more than happy to help you implement this capability within your network.