As a security expert, most companies I see are more concerned about what’s going to hit them from outside their network and don’t realize that what’s leaving your network is just as important. Being able to restrict outbound traffic, or in many cases funnel the outbound network traffic through egress points, is just as important and will make it more difficult for malicious attackers to exfiltrate data. It will also come in handy when you start looking at the encrypted data that’s leaving the network (see my previous blog post). Here are a few tips for managing egress filtering on your firewalls:
By using proxy choke points in the network your firewalls can only accept traffic from a handful of proxies and not from the entire network. This limits the amount of traffic hitting the firewall and adds an additional layer of security to your outbound traffic.
If the firewall isn’t configured to have egress filtering from the outset, its ruleset is most likely set to allow unfiltered outbound access. However, since most firewalls have thousands, even tens of thousands, of firewall rules, it’s not practical to comb through them manually to find the risky ones. By using a firewall ruleset analyzer against your firewall rulesets you can pinpoint the risks within the firewall immediately, including rules that permit risky outbound traffic as well as open ports. Make sure to view these risks and assess the systems that are using them.
Once you have all the outbound and egress rules locked down in your firewall, create a policy that dictates that all future outbound rules are documented with business justification, e.g. why these rules were created, who’s using them, which applications and systems are using them and who the business owners are. This is not only helpful for audits, but it’s good practice to actually know what your firewall rules are used for, especially when they’re allowing packets to leave your network.
There’s a good chance that your network has a DMZ, PCI zone, or some other sensitive network that shouldn’t have direct access from other networks into them. These are key areas in your network and the firewalls allowing data to ingress and egress them should be subject to the same, if not higher, scrutiny. Their firewalls should be treated with the same logging, review and business justification as your other firewalls that interact with external networks.
When setting up a network there are two directions traffic can flow through your firewall; inbound and outbound. We’ve seen many companies recently get breached because the egress rules on their firewall allowed for the attackers to siphon data out of there network without anyone noticing. Let’s make it harder for hackers to exfiltrate data out of our networks. Establish proper egress filtering on firewalls and only allow exactly what’s needed out of it.
Receive notifications of new posts by email.