With so many threats looming from intruders and malicious software originating outside of systems and corporate LANs, it’s easy to overlook the fact that security lapses and vulnerabilities can equally emanate from within a connected system or private network, and make their way out to cause damage as well.
So for comprehensive security coverage, it’s essential not only to have tools and software guarding against external threat vectors but also to have some way of observing and regulating the flow of information passing out of a computer system or corporate network. That’s where egress monitoring and filtering comes in.
Egress Monitoring – Defining Terms
“Egress” means “going out”, and in a networking sense, refers to outward bound traffic such as data packets, email messages, or requests to external web sites and servers. This flow of information may occur at any time, as users, resources, and applications within a network communicate with systems and networks outside of the corporate firewall.
For security purposes, the main concern is the flow of unwanted, malicious, or destructive traffic that may leave a network unchecked.
Egress Monitoring – Filtering and Blocking
Egress filtering is undertaken with the objective of sifting through outgoing packets to ensure that unsecured data transmissions, unauthorized communications, rogue or unsanctioned requests to external sites, malware and the like are not part of the outward traffic flow. It’s achieved by setting up and enforcing rigorous and comprehensive policies for an outbound firewall, which is configured to block the passage of certain types of data from a particular network.
For example, blocking rules might be put in place to prevent the transmission of intellectual property or copyrighted materials from a network, or filtering rules might specify which particular servers or systems in a corporate LAN should have rights to send data out of the network.
Egress Monitoring – APTs and Exfiltration
Accidental or one-off transmissions of sensitive or mission-critical data can be serious enough, but corporate networks also face the challenge of sustained and multi-phased attacks, which are staged with the purpose of siphoning off information or compromising and exerting control over network assets over a long period.
These advanced persistent threats or APTs can result in prolonged periods of the leeching out or exfiltration of corporate data. It’s estimated that many government agencies and large enterprises have routinely suffered data exfiltrations that remained undetected for up to 28 months.
Motives for Egress Monitoring
For the enterprise itself, monitoring and management of egress traffic provides essential control over external services that hosts within the network can gain access to. It’s a hedge against the exfiltration of data by (for example) malware surreptitiously installed by malicious intruders, or the inadvertent release into the wild of sensitive corporate data through human error and lax security practices.
For those associated with the enterprise (partners, contractors, the user base for subscribed services, etc.), egress monitoring provides protection against the possibility of compromised systems or unauthorized users that might exploit network resources to spread damage more widely (e.g. by serving as a bot in a Denial of Service attack, delivering spam, etc.).
Watching Outbound Traffic
Before effective monitoring can begin, it’s necessary to establish where outbound network traffic is currently going. A thorough assessment of the network should reveal which systems and applications need access to which services on the internet and external servers. It should then be a priority to determine which external services are permitted to receive outward bound data and those that should be blocked.
A rigorous security policy must be set up to establish rules and firewall settings for outbound traffic throughout the network. Input from stakeholders at all levels should be sought to reach a consensus on the terms of the organization’s policies on security and acceptable use – or to draw these policies up if they don’t already exist. Stakeholders should include those involved in risk management and mitigation, as well as those responsible for network security as a whole.
A list of network resources with approved access to internet services should be drawn up. These might typically include assets which support email and DNS functions from an organization’s internal servers – things like SMTP, NTP, POP/IMAP, or HTTP/HTTPS, together with relevant domain names and IP addresses.
For the blocking of prohibited egress traffic at a firewall or proxy, lists should be compiled of the types of content that will be permitted or denied. Depending on the size of the enterprise and its working practices, it may be necessary to define sets of permissions for specific departments or user groups.
Consideration should also be given to known malicious destinations on the internet, such as the command and control (C&C) centers of botnets, hostile hosting providers, hijacked address spaces – and how access to these sites may be effectively blocked.
Implementing Zero Trust
In setting firewall policies, a “zero trust” approach should be adopted initially, with no outbound traffic being allowed to leave the network without explicit permission. This is the polar opposite to the default settings of many corporate firewalls, which allow passage of data to any external address that’s in a valid format – clearly not an acceptable state of affairs in an atmosphere where IP addresses are routinely hijacked or spoofed.
Authorized access should then be allowed to those services identified in corporate security and acceptable use policies. Network administrators should be given filtered access to network systems and security assets outside the firewall. Then rules should be added for servers operating from within the organization’s trusted network to gain access to approved servers hosted on the internet.
Initial and periodic testing of network firewall configurations should be conducted by auditors, firewall experts, and/or security professionals, with an eye to ensuring that the expected allowance or denial of access is being observed at network ports, endpoints, and running addresses.
Share this Post