One way to leverage your existing infrastructure amid security budget constraints is egress filtering using your existing network devices

Dark Reading Staff, Dark Reading

May 1, 2009

3 Min Read

It's time to get back to the basics and leverage existing network devices as a way to survive shrinking IT security capital expenditures: That means back to egress filtering.

Network egress filtering -- to block unnecessary, and possibly malicious, traffic from exiting your network -- is typically a forgotten security technique today due to a reliance on expensive security products like data leakage prevention (DLP) solutions, intrusion prevention systems (IPS), and network access control (NAC).

But leveraging your network devices to perform egress filtering is one way to harden the perimeter inexpensively. Instead of focusing on incoming traffic, the rules are applied to outgoing traffic.

The discussion of designing and applying egress filters often devolves into a similar religious debate, like Linux versus Windows. Lorna Hutcheson recently wrote on the topic at the SANS Internet Storm Center Handler's Diary, pointing out that the network group often opposes egress filtering and argues that it's difficult to implement, while the security group maintains it's necessity.

In response to one reader asking about egress filtering, Hutcheson said, "you can not defend your company's information and network without doing egress filtering." This begs the question: How do you do proper egress filtering using existing network infrastructure, and what free and open source solutions are available?

The obvious choices for applying egress filters are your existing routers and firewalls, but care must be taken to make sure that this approach doesn't inadvertently block legitimate traffic as well. This is why network groups often complain about the difficulty and complexity of egress filtering: For it to be successful, an in-depth understanding of the computer systems and network traffic within your environment is required.

Routers and firewalls deployed both at the perimeter and within the internal network are candidates for egress filters. A common design error is that egress filtering applies only to traffic exiting the network, but it can also apply to network segments broken up by departments, such as sales, marketing, finance, and support.

Egress filtering is not limited to routing devices like firewalls and routers; it can be implemented via network-based application proxies for Web, e-mail, and other supported protocols. Firewalls with unified threat management (UTM) capabilities typically include this functionality, but if your company hasn't already invested in a UTM firewall, open source alternatives do exist.

Squid is easily the most well-known open source Web proxy. Using squid, you can both filter what Web sites users are allowed to visit and monitor for policy violations.

A more well-rounded solution that includes more than just HTTP filtering is available from Untangle. It integrates open source tools for Web and spam filtering, network protocol management (i.e., blocking file sharing and instant messaging), and more. Untangle also provides a commercial version with full support and additional features.

An interesting alternative to traditional egress filtering, which is typically very static and based on IP addresses, protocols, and ports, is identity-based firewall solutions like the open-source project NuFW. With NuFW and other ID-based firewalls, the rules governing a computer system and what it can connect to are based on the identity of the authenticated user of a particular computer system.

Tying rules to identities and groups is very powerful and can be particularly useful in dynamic environments, where multiple users use the same system, and mobile workers come and go using available office space when needed.

Monitoring and protecting the data leaving your network does not have to cost hundreds of thousands of dollars to be effective. Start with the basics of locking down what can leave the network through egress filtering, and monitor that content with proxies that give more granularity to what can be controlled. Then decide where you stand and if additional solutions like DLP are necessary.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights