JP Vossen on 23 Oct 2016 14:28:20 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Egress filters & monitoring

TL;DR: Lock down your outgoing traffic and monitor your logs.

The thing I have yet to see in the various other ongoing "discussions" (and I'm using that term loosely) at the moment is firewall egress filters. Everyone at this point knows about ingress filters, but specific egress filters seem to be mostly lost in the noise.

Once upon a time we could have made a real dent in malicious traffic in general and spam in particular if corporations and ISPs had actually implemented strong egress filters. Alas, most didn't and the suckage has continued and gotten vastly worse. Today, even if we could magically get everyone to implement them, I'm not sure how much it would help...but it would help some.

This goes back to two of the major mantras of both network administration and security:

LOCK DOWN your outgoing traffic just as hard as your incoming traffic! Yes, it's a pain, but if you have even a basic clue about either network administration or security you already need to know your network, so you know where at least some of your traffic needs to go, so it's not all that much extra work. It *is* more support calls, when Stupid Shit(tm) that shouldn't be on your network anyway stops working. And yes, probably a lot of that SS is from the c-levels. (Lots of us are old enough to remember the c-levels that just HAD to have their AOL...) That's your battle to fight.

Nothing should be leaving your network with an source address other than yours. Spoofed source addresses used to be a really big facilitator for DoS and DDoS attacks, though it seems like lately other kinds of amplification & IoT attacks have far surpassed spoofed addresses. ISPs could stop that cold by simply blocking traffic leaving their network blocks that claims to be from a source that isn't in those block.

That's probably the biggest and simplest one. There are many more, whole books have been written on both perimeter (for as much as that concept even applies these day) and end-point security. Other examples: * Random machines on your network should *not* be sending email. Route that properly via MTAs and ruthlessly block it everywhere else.
* Ditto DNS.
* Random machines on your network should mostly *not* be connecting to random ports on random destinations. Most machines in most environments probably need outgoing 80 and 443 and that's it. (OK that may be a gross over-simplification that can get very mess very fast, depending on your environment...)

I'm not going to touch on the IoT debacle except to say that all that garbage should be on a DMZ...but that's probably too much to ask of consumers. Perhaps all new consumer routers should come with a built-in DMZ for IoT crap, if that's even feasible, which I haven't thought that much about, and if the router itself isn't part of the problem. Sigh.

Egress filters are a help, even if they aren't as much of a help as they used to be. But everything is better with log monitoring. That's how you find the random machines trying to send random emails, and lots of other Stupid Shit. And it's part of knowing your network (and your whole environment). Log monitoring is not all that hard for small environments, but it gets logarithmically harder as the environment grows and there are lots of companies to help you out with that (like the one I work for :).

It takes time to set up and tune but anyone with the skills to actually be a network or systems admin can do it. Logcheck and fcheck are my favorites for small environments, though they don't scale well. There are many other tools, systems, and products to help out, like LogStash, Splunk, and lots and lots more. Again, whole books and many companies...

Well this got longer than I intended, as usual so I'll stop...

--  -------------------------------------------------------------------
JP Vossen, CISSP | |
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --