The Importance of Egress Filtering at the Firewall

It’s been a while since I touched on this subject but it has come up during a number of audits and information security investigations the team at HBS has been a part of over the past few weeks.  Egress filtering is a basic principle that should be implemented at every organization to prevent hacking activity from leaving your network.  Granted, you can’t stop everything, but you can at least try.  True information security is based on incremental success.

Here’s how it works.  We always do ingress filtering.  That is, we only allow trusted and known traffic into the firewall from the internet.  This traffic is typically allowed into a DMZ and then traffic from the DMZ is allowed through to the internal network.  This traffic is allowed only from selected IP addresses and specific ports.  Everything else is blocked.

We need to do the same thing on all traffic leaving our network.  We only want known good traffic out.  Everything else is blocked.  There are two main reasons for this.  One, you break a ton of hacker tools when you perform egress filtering.  The second is that you identify which systems are trying to do something that is not expected or allowed through an alert generated at the firewall.  This is invaluable information.

Certainly hackers can and do hide their return traffic in valid HTTP, FTP and other protocols.  Web gateway and proxy filters can help identify this traffic.  By implementing egress filtering, you’ve effectively created a roadblock where every vehicle (packet) will be stopped and inspected.  Any attempts to bypass the roadblock are obvious signs of bad behavior and receive a swift investigation response.

If you want to know what’s happening on your network and be able to identify the source of compromised systems faster, implement egress filtering.  You’ll temporarily break a few things in the process but it’s a small price to pay for identifying the source on internal hacking attempts.