[PLUG] Egress filters & monitoring

[JP Vossen <jp@jpsdomain.org>]

TL;DR: Lock down your outgoing traffic and monitor your logs.

The thing I have yet to see in the various other ongoing "discussions" 
(and I'm using that term loosely) at the moment is firewall egress 
filters.  Everyone at this point knows about ingress filters, but 
specific egress filters seem to be mostly lost in the noise.

Once upon a time we could have made a real dent in malicious traffic in 
general and spam in particular if corporations and ISPs had actually 
implemented strong egress filters.  Alas, most didn't and the suckage 
has continued and gotten vastly worse.  Today, even if we could 
magically get everyone to implement them, I'm not sure how much it would 
help...but it would help some.

This goes back to two of the major mantras of both network 
administration and security:
	KNOW YOUR NETWORK
	MONITOR YOUR LOGS

LOCK DOWN your outgoing traffic just as hard as your incoming traffic! 
Yes, it's a pain, but if you have even a basic clue about either network 
administration or security you already need to know your network, so you 
know where at least some of your traffic needs to go, so it's not all 
that much extra work.  It *is* more support calls, when Stupid Shit(tm) 
that shouldn't be on your network anyway stops working.  And yes, 
probably a lot of that SS is from the c-levels.  (Lots of us are old 
enough to remember the c-levels that just HAD to have their AOL...) 
That's your battle to fight.

Nothing should be leaving your network with an source address other than 
yours.  Spoofed source addresses used to be a really big facilitator for 
DoS and DDoS attacks, though it seems like lately other kinds of 
amplification & IoT attacks have far surpassed spoofed addresses.  ISPs 
could stop that cold by simply blocking traffic leaving their network 
blocks that claims to be from a source that isn't in those block.

That's probably the biggest and simplest one.  There are many more, 
whole books have been written on both perimeter (for as much as that 
concept even applies these day) and end-point security.  Other examples:
* Random machines on your network should *not* be sending email.  Route 
that properly via MTAs and ruthlessly block it everywhere else.
* Ditto DNS.
* Random machines on your network should mostly *not* be connecting to 
random ports on random destinations.  Most machines in most environments 
probably need outgoing 80 and 443 and that's it.  (OK that may be a 
gross over-simplification that can get very mess very fast, depending on 
your environment...)

I'm not going to touch on the IoT debacle except to say that all that 
garbage should be on a DMZ...but that's probably too much to ask of 
consumers.  Perhaps all new consumer routers should come with a built-in 
DMZ for IoT crap, if that's even feasible, which I haven't thought that 
much about, and if the router itself isn't part of the problem.  Sigh.

Egress filters are a help, even if they aren't as much of a help as they 
used to be.  But everything is better with log monitoring.  That's how 
you find the random machines trying to send random emails, and lots of 
other Stupid Shit.  And it's part of knowing your network (and your 
whole environment).  Log monitoring is not all that hard for small 
environments, but it gets logarithmically harder as the environment 
grows and there are lots of companies to help you out with that (like 
the one I work for :).

It takes time to set up and tune but anyone with the skills to actually 
be a network or systems admin can do it.  Logcheck and fcheck are my 
favorites for small environments, though they don't scale well.  There 
are many other tools, systems, and products to help out, like LogStash, 
Splunk, and lots and lots more.  Again, whole books and many companies...

Well this got longer than I intended, as usual so I'll stop...

Later,
JP
--  -------------------------------------------------------------------
JP Vossen, CISSP | http://www.jpsdomain.org/ | http://bashcookbook.com/
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug