Egress Filtering is the term for filtering data packets as they leave your network. This is usually performed on an Intrusion Prevention System or firewall that monitors traffic, either inbound or outbound, from the network. This will often be in addition to other firewall protocols such as Domain Name System Security Extensions (DNSSEC), which provides authentication for domains, and (D)TLS, which provides end-to-end encryption for most Internet websites through HTTPS traffic.
Working:
The simplest way to see how Egress Filtering works is to use an analogy. This can be done by making sure that when they leave, your teenager has no pockets and anything that they’re taking out of the house has to fit in a bag which can only contain certain items. Egress Filtering works by limiting what data packets flowing out of your network may contain based on rules that you specify. This can be, limiting what protocols your network will accept to flow through it. It may also allow only certain ports of a protocol to be used, or even not allow some protocols that you don’t want being in your network at all.
The two main ways for Egress Filtering are by using rules that match specific traffic and TCP/UDP ports. The former is called Port-Based Egress Filtering and the latter is called Protocol-Based Egress Filtering.
Port-Based Egress Filtering:
Port-Based Egress Filtering involves the process of identifying certain traffic that you won’t want to leave your network and blocking it from doing so. This is usually done by specifying a range of ports that shouldn’t be accessed in your network or shouldn’t have data packets leaving your network. For example, if you’re running a web server on port 80, then you can make it so that any traffic going towards ports smaller than 80 is blocked. Protocol Based Egress filtering is much more complex and involves determining the contents of a data packet’s protocol and making decisions based on those contents.
Key points:
- You can filter traffic based on the contents of a data packet’s protocol.
- Protocol Based Egress Filtering is much more complex than Port-Based Filtering.
- Protocol-Based Egress Filtering involves the process of identifying what is in a data packet by inspecting its header and then making decisions about it.
- This helps to determine whether a certain port should be allowed or if an entire range of protocols shouldn’t be allowed to leave your network.
- For example, if you notice that FTP traffic moving outside your network often contains user credentials and sensitive information, then you may want to block FTP traffic from leaving your network entirely.
- You can filter traffic by making decisions about a data packet’s contents.
An Overview of Egress Filtering Rules:
- The rules that you will use to specify what traffic is and isn’t allowed to leave your network should be very specific, as this is one of the most important parts of ensuring your network is protected. The following points will help you when creating these rules:
- A rule that denies all traffic with a particular protocol or port can typically be overly invasive, as it can block legitimate traffic that shouldn’t be blocked.
- Make sure to only allow traffic if it has been specifically allowed by a rule.
Countermeasures:
- Change default ports or protocols to avoid port scanning.
- Another way that you can reduce the number of vulnerabilities in your network is by reducing the amount of traffic that leaves it. Allow no more than 20% of your traffic to leave the network.
- There are also a number of tools, like the Passive Scan tool, that can be used against systems and networks on port 80 only to find out exactly what kind of traffic is leaving your network.
- There are also some other static analysis tools for different protocols that can be used to analyze packets and determine what kind of information may be contained in them.