ac on 23 Oct 2016 14:38:00 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Egress filters & monitoring

On Sun, 23 Oct 2016 17:28:16 -0400
JP Vossen <> wrote:

> TL;DR: Lock down your outgoing traffic and monitor your logs.
> The thing I have yet to see in the various other ongoing
> "discussions" (and I'm using that term loosely) at the moment is
> firewall egress filters.  Everyone at this point knows about ingress
> filters, but specific egress filters seem to be mostly lost in the
> noise.
wow, snap! - I hit send about so minute after you in my thread... :)

> Once upon a time we could have made a real dent in malicious traffic
> in general and spam in particular if corporations and ISPs had
> actually implemented strong egress filters.  Alas, most didn't and
> the suckage has continued and gotten vastly worse.  Today, even if we
> could magically get everyone to implement them, I'm not sure how much
> it would help...but it would help some.
> This goes back to two of the major mantras of both network 
> administration and security:
> LOCK DOWN your outgoing traffic just as hard as your incoming
> traffic! Yes, it's a pain, but if you have even a basic clue about
> either network administration or security you already need to know
> your network, so you know where at least some of your traffic needs
> to go, so it's not all that much extra work.  It *is* more support
> calls, when Stupid Shit(tm) that shouldn't be on your network anyway
> stops working.  And yes, probably a lot of that SS is from the
> c-levels.  (Lots of us are old enough to remember the c-levels that
> just HAD to have their AOL...) That's your battle to fight.
> Nothing should be leaving your network with an source address other
> than yours.  Spoofed source addresses used to be a really big
> facilitator for DoS and DDoS attacks, though it seems like lately
> other kinds of amplification & IoT attacks have far surpassed spoofed
> addresses.  ISPs could stop that cold by simply blocking traffic
> leaving their network blocks that claims to be from a source that
> isn't in those block.
> That's probably the biggest and simplest one.  There are many more, 
> whole books have been written on both perimeter (for as much as that 
> concept even applies these day) and end-point security.  Other
> examples:
> * Random machines on your network should *not* be sending email.
> Route that properly via MTAs and ruthlessly block it everywhere else.
> * Ditto DNS.
> * Random machines on your network should mostly *not* be connecting
> to random ports on random destinations.  Most machines in most
> environments probably need outgoing 80 and 443 and that's it.  (OK
> that may be a gross over-simplification that can get very mess very
> fast, depending on your environment...)
> I'm not going to touch on the IoT debacle except to say that all that 
> garbage should be on a DMZ...but that's probably too much to ask of 
> consumers.  Perhaps all new consumer routers should come with a
> built-in DMZ for IoT crap, if that's even feasible, which I haven't
> thought that much about, and if the router itself isn't part of the
> problem.  Sigh.
> Egress filters are a help, even if they aren't as much of a help as
> they used to be.  But everything is better with log monitoring.
> That's how you find the random machines trying to send random emails,
> and lots of other Stupid Shit.  And it's part of knowing your network
> (and your whole environment).  Log monitoring is not all that hard
> for small environments, but it gets logarithmically harder as the
> environment grows and there are lots of companies to help you out
> with that (like the one I work for :).
> It takes time to set up and tune but anyone with the skills to
> actually be a network or systems admin can do it.  Logcheck and
> fcheck are my favorites for small environments, though they don't
> scale well.  There are many other tools, systems, and products to
> help out, like LogStash, Splunk, and lots and lots more.  Again,
> whole books and many companies...
> Well this got longer than I intended, as usual so I'll stop...
was quite cool though! - great minds think alike!
(and fools never differ :) )


Philadelphia Linux Users Group         --
Announcements -
General Discussion  --