Egress filtering for a healthier Internet.

    Date13 Feb 2003
    Posted ByAnthony Pell
    Security is not just protecting yourself from others, you must protect others from yourself. Egress filtering is an important part of any firewall setup.. . . Security is not just protecting yourself from others, you must protect others from yourself. Egress filtering is an important part of any firewall setup.

    The Slammer/Sapphire/etc worm really ruined my Internet experience for a few days. Yes, patches were available. Yes, people should have blocked inbound access to their windows boxes when not needed. These and many other explanations about what could have been done were discussed all over. However one thing that seems to have been overlooked in many sources is that it was the outbound packets that were killing us, and we shouldn't have been subject to them at all.

    We are used to thinking of security as a defensive battle: keep the bad guys out of our systems. We set up our firewalls to block known attacks, block any inbound packets that don't go to permitted ports, restrict inbound packets from untrusted sources, keep spam out by blocking connections from machines on DNSBLs. These are all defensive barriers we erect in front of our servers to keep the bad guys out.

    The problem is that sooner or later there will be a breach of those bariers. Perhaps a bug exists in one of the services that you do need to permit. Perhaps your firewall rules were too weak. The problem is that once you are cracked, the cracker is on the inside of the firewall, and is uninhibited by your inbound rulesets.

    Blocking inapropriate inbound access is a very good and necessary thing. However people need to start blocking inappropriate outbound access too. If your machine is just a mail server, then it needs to be able to send out packets from and to port 25, but it doesn't need to be able to make an HTTP connection. If you run a DNS server, it doesn't need to be able to support outbound FTP. And for goodness sake, if your network is w.x.y.z, packets from other addresses should never leave your boarders.

    When your computer is compromised, you are no longer the innocent party trying to defend yourself, to other machines you have become the attacker. You owe it to others to make outbound attacks more difficult to the cracker or worms that have managed to get onto your machine.

    Outbound packet security is called egress filtering. It's no harder to implement than the ingress filtering rules you should already have. Had the Slammer hosts been behind firewalls with proper egress filters, the outbound attacks would never have been dropped at their firewall/router.


    You are not authorised to post comments.

    LinuxSecurity Poll

    Has your email account ever been pwned in a data breach?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.