For an organization that outsources email and DNS, this list might include DNS, POP/IMAP, SMTP, NTP, and HTTP/HTTPS. Without clearly-defined notions of network security and a strict application and traffic policy you intend to enforce, your firewall configuration will end up being little more than an ad hoc and troublesome listing of outbound rules to meet users' perceived needs, instead of a well conceived policy designed to protect the company's resources.Ĭompose a list of the approved Internet-accessible services. Include as stakeholders individuals who are not only responsible for implementing your company's network security but also those individuals who are party to risk management and mitigation. If you don't have such policies, gather stakeholders and define them. Begin by consulting your company's Security Policy and/or Acceptable Use Policy (AUP). Step #1: Egress Traffic Enforcement Policy Just as egress traffic filtering can help mitigate data exfiltration from your networked assets, so can it help you protect the world from your network. Improperly configured, your DNS resolver – or possibly any UDP-based service you use ( chargen, NTP) - can support a criminal conspiracy! A compromised DNS name server can host zone data for a malicious domain. A compromised server or user device on any of your internal networks (trusted, DMZ, guest) can be used to generate spam, host malware or phishing sites. This is problem enough in NAT environments: in poorly implemented router configurations, especially where you have multiple access points to the Internet, your organization can inadvertently behave as a transit network for forged, malicious traffic emanating from other organizations.Ĭompromised or unauthorized systems can play roles in criminal activities without the use of spoofed addresses, too. Compromised or unauthorized hosts that gain access to your local networks often use IP spoofing to attack ( DDoS) other networks, to store child abuse or other illegal material, or to conduct spam or phishing campaigns. Such configurations are green fields for attacks that make use of forged source IP addresses ( IP spoofing). Fred Avolio calls this “ The Nefarious Any”. In the most lax of configurations – and sadly, in many default configurations - a firewall or router may treat and forward traffic it receives from any source address as valid. Filter Egress Traffic to Do No Harm to Others Irrespective of the cause, data exfiltration is a threat you can’t mitigate without egress traffic enforcement, and one you can’t readily detect if you don't log and monitor traffic behavior associated with permitted and prohibited services. Sadly, data exfiltration often results from configuration error: misconfigured NetBIOS, DNS, or other service traffic can leak from your trusted networks and be captured or exploited by external parties. If you don't restrict the services that hosts in your internal networks can access, malware will inevitably find its way onto some of your hosts and may exfiltrate data to a location that an attacker controls. Data exfiltration could be also unintentional, i.e., an insider might incorrectly attach sensitive information an email message to upload it to a document sharing service. Filter Egress Traffic to Protect Yourself In this column, I discuss ways organizations can improve their risk profile and be better 'netizens by implementing egress traffic filtering. Companies large and small are better served when network administrators are equally concerned with threats that are associated with outbound connections. Attackers can use these to collect and forward sensitive information from your network or to attack or spam other networks. Today's landscape is littered with threats that emanate from malware-infected endpoints. Too many network administrators think only to protect their private network resources from external attacks when assessing security threats.
0 Comments
Leave a Reply. |