Egress Filtering

You are probably already aware that filtering inbound traffic at the firewall is an essential part of network security - but what you may not know is that filtering the outbound traffic, "egress filtering," is also very important. So important, the concept is heavily carried over into the cloud environment.

Egress filtering is a little more subtle than traditional ingress blocking; the goal is not so much to stop attacks directly but to deny attackers the ability to learn things about your network, and also to mitigate the effects of any attacks that do get through your other defenses.

It's a part of what we refer to as 'defense in depth' - layering defenses in your organization so that each of them covers potential gaps in the other. If an attacker is able to bypass one defense, then the other will catch them.

In the case of egress filtering, it counteracts situations when the attacker is either seeking to sniff internal traffic that may be leaking outside the gateway - for instance, netbios traffic, that contains useful information as to how the network is structured and what systems are active on it - or to provide a block against [and potentially notification of] so-called C2 traffic generated when an attacker has succeeded in infecting a system.

As an example, a client had discovered that a system on their network had become infected with malware; we found this via their Alienvault installation noticing suspicious DNS requests via NIDS. The system was receiving C2 - 'command and control' - instructions from a foreign country, using a DNS server sited in that country.

To prevent that from being an issue in the future, we advised them to enable egress filtering for DNS requests - only their domain controller would be allowed to make DNS requests outside of the network; every other system would have to request DNS from the domain controller [which would forward external requests on their behalf].

With this measure implemented, even if another system became infected with the same kind of malware, the malware would not be able to 'phone home' - its request to the DNS server outside of the network would be blocked, and the attempt would be logged by the firewall and sent to the Alienvault system.

Simple and smart, and now lets move this concept to the cloud.

Templates, Docker and similar concepts afford the luxury of spinning up and spinning down entire OS or just minutia environments for supporting business as needs progress. Imagine if we had no outbound control? We are potentially allowing access between VPC, or outbound to the world or even just to environments that we should be controlling.  With the number of 0 day exploits, even something up for a short time can be taken over and controlled, then used in a manner not planned. Thus egress filtering becomes a viable and strong tool in your arsenal and fundamentally controlling access will always be paramount.