• Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Egress Filtering

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security

View previous topic :: View next topic  
Author Message
Trusted SF Member
Trusted SF Member

Joined: 26 May 2002
Posts: 16777206
Location: Bi Mon Sci Fi Con


PostPosted: Wed Oct 30, 2002 4:41 pm    Post subject: Egress Filtering Reply with quote

This is a nice article about the importance of Egress filters on your network.

Many thanks to Watchguard in the US for this.

nb Some urls may not work correctly.

WHEN IMPLEMENTING PERIMETER SECURITY on a network, one of the first
things the security architect will do is configure the firewalls and
edge (Internet access) routers. Since the main purpose of the
"Internet" firewall is to protect the internal or trusted network
from the external public Internet, the firewall rule set
traditionally focuses on ingress filtering, that is, filters to
inspect the incoming data, and block or deny any unwanted packets.
What organizations often forget to consider is the filtering of
unwanted "outgoing" network traffic, or egress filtering.


You might be asking yourself, Why would you care about outgoing
traffic? Isn't the whole idea of a firewall and/or router to stop
unwanted traffic from the un-trusted Internet from coming into your
network? Then the goal should be to protect your private network
from attacks, correct? This is true, but without the proper security
controls in place, an attacker could use your network to siphon
sensitive information from a system he's compromised through a worm
or backdoor, or attack systems on other trusted networks under your
administration. The attacker can also put systems on your trusted
networks to use as agents for DDoS attacks,
or to perpetrate all manner of attacks against other networks and
e-merchant sites, leaving the evidence trail pointing to you.

The main purposes for implementing egress filtering are to (a)
prevent packets that contain invalid or incorrect addresses from
leaving your site, and (b) prevent communication to unauthorized or
questionable TCP and UDP ports from valid addresses. While these
packets could be originating from a misconfigured router, it is
quite likely that they are coming from a Trojan or backdoor program
on a compromised system on your trusted network. This compromised
system could also be running a distributed denial of service (DDoS)
tool, such as Tribal Flood Network and Trinoo. The actual method of
how the DDoS client works is not important for our discussions here.
What is important is that once compromised, your system becomes an
unwilling participant in an attacker's plan to attack and possibly
bring down other systems. Egress address filtering makes it harder
for attackers to use your system as a relay site, and similarly,
careful port filtering can render many backdoors ineffective as


Egress address filtering works by denying all directed broadcast
packets from being forwarded, and by allowing only those IP
addresses assigned by the network administrator to trusted hosts to
pass outbound through the firewall. Let's take ICMP packets as an
example. Directed broadcasts are a result of ICMP packets being sent
to a network's broadcast address. All of the hosts connected to the
subnet will respond to the broadcast. If there were 10 hosts on the
network, there would be 10 sets of replies sent out in response to
that one ICMP packet. If those responses are allowed to pass through
your firewall and onto the Internet, they can be directed to an
unsuspecting victim's machine on some remote network. All of a
sudden, some poor host is getting bombarded with ICMP packet replies
from someone on the Internet. Maybe 10 sets of replies is not a big
deal, but imagine this attack being performed against this one host
from several hundreds or even thousands of other sites, at the same
time. The unsuspecting victim doesn't stand a chance.

Egress port filtering works by denying all traffic forwarded to
ports, other than a specific list of "well-known" ports you permit,
according to your organization's appropriate use policy. For
example, your organization may permit employee's use of HTTP (TCP
80), POP/SMTP (TCP 110, 25), and DNS (UDP 53). If your egress port
filtering denies all other ports, then attempts by malicious code to
communicate over any temporarily assigned or ephemeral port will be
blocked. Reviewing the firewall logs for all denied egress port
traffic will help you determine if an application is trying to send
data outside your network.


The first thing you should do is confirm that egress address
filtering has been set up correctly on your routers. MITRE has
released a freeware tool
that allows a company to check the configuration of their Internet
point-of-presence router. The tool helps companies determine whether
their routers are configured to prevent their systems from being
used as the source of DDoS attacks. At a minimum, an outbound
traffic rule set should be created to ensure that only your assigned
IP addresses are allowed outside your network. Many firewalls allow
you to begin the rule set with a filter that denies all outbound
traffic to all ports. Then you can explicitly allow traffic to the
desired ports. To verify that your egress port filtering policy is
implemented correctly, run any port scanner through the entire port
range (both UDP and TCP) at a public IP address so that you put your
firewall to the test. Enabling logging at your firewall for all
denied packets will help you verify you've implemented egress
filtering correctly.

There are several DDoS vulnerability scanners available to help you
determine if any DDoS clients are installed on your machines. A tool
called the NIPC DDoS detection tool
can detect the several DDoS tools on your system including Trinoo,
Tribal Flood Network, and Stacheldraht. TheoryGroup's Remote
Intrusion Detector (RID) is another tool that can be used to detect
DDoS clients on machines.


Establishment of egress filtering in your perimeter security is just
as important as implementing the incoming traffic rule sets. It
won't stop all DDoS attacks or backdoors, but it gives you the
ability to control what is coming out of your network, and to
monitor appropriate use. And you will be doing your part as a good
netizen in preventing the wide-spread epidemic of DDoS and other
network attacks.


MITRE's Egressor tool for checking router configurations

National Infrastructure Protection Center (NIPC) DDoS detection tool

TheoryGroup's Remote Intrusion Detector (RID)

Strategies to Protect Against Distributed Denial of Service (DDoS)
Attacks <http://www.cisco.com/warp/public/707/newsflash.html>

Introducing nmap, Scanner of Choice

For details on how outgoing services work specifically for the

Understanding Firebox Services and their Interactions (Part 1)

Understanding Firebox Services and their Interactions (Part 2)
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security All times are GMT + 2 Hours
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register