Filtering Outbound Traffic at the Firewall

Inbound and Outbound Firewall Traffic

Firewalls are the cornerstones of corporate intranet security. Even the smallest organizations have them. Almost invariably, these firewalls implement a policy that restricts the flow of inbound traffic. But what about outbound traffic?

Historically, outbound traffic has enjoyed much greater freedom. Taken ad-absurdum, the reasoning could be something like “since we trust our employees not to do anything malicious or stupid, and since our internal networks are secure, outbound traffic is safe to let through”. Unfortunately, this argument has some major holes in it…

Firewall Traffic: Outbound is Inbound too…

Traffic is never just “outbound”. A traffic connection is always bi-directional. Saying that it is “outbound” just indicates that the internal computer sent the first packet, and the other side replied. But what is sent after that initial handshake, in both directions, can be much more than you’d expect.

Here is how instant messaging systems, peer-to-peer networks, and Skype work. An internal computer initiates a connection to an external server or peer. Once the connection is established (and it’s allowed by the firewall since it’s outbound!), other external computers can piggyback on this connection and send their traffic into your network. They can pull p2p-shared files off the internal computer, send instant messages to it, and use your high-bandwidth link to make free VoIP calls. All it takes is a firewall that allows all outbound traffic, and some unruly or naive employees to install the software on their desktops.

Malware Command-and-control

You obviously know about viruses and Internet Worms, and you have the latest anti-virus software on all your PCs (right?!). But some PCs still get infected from time to time. Maybe the virus spread before the anti-virus vendor released the new definitions (exploiting a zero-day vulnerability). Maybe a road-warrior’s laptop caught something in an Internet cafe. And today’s malware writers are not trying to trash your disk. They are recruiting “0wned” computers to join their botnet or zombie army – some armies reported to include hundreds of thousands of computers. These ‘bots participate in denial-of-service attacks, and distribute spam e-mail. In addition to their direct malicious behavior, their activities can have some nasty side-effects, like causing your mail server to be black-listed – and for 24-48 hours none of your clients receive emails from your organization!

And how do the ‘bot-masters control their armies? The ‘bots initiate outbound connections to external command computers and keep checking if there is any command for them to execute. Again, we see how a connection that is formally “outbound” in fact causes very undesirable inbound traffic. A good firewall policy, that filters outbound traffic, can limit the damage they can cause until your administrators find and clean them.

Corporate Policy and Legal Considerations

You may have legal requirements to retain all e-mail messages. If users can initiate outbound connections freely, they could perhaps use an external mail server and bypass this requirement. You may want to forbid access to certain services or web sites. etc., etc. Your firewall can help you enforce these policies.

Outbound Firewalls: Bottom Line

You should be concerned about outbound traffic, and you should definitely filter it based on a well-defined policy. If you don’t have such a policy – I suggest you create one. Google for egress filtering – the SANS Institute has a good white paper about it.