Monthly Archives: August 2014

Egress Filtering: Are you authorized to leave?

One of the first concerns with protecting a network is stopping outsiders from being able to enter into the internal network.  Of course, this does make sense because we believe that the main threat to our network is external by default.  Over the years we have found this to not be so true and that many threats actually are from internal actors.  While I do believe that blocking external requests that are unwanted is completely necessary for a secure network, we should not overlook how data leaves the network.


There are multiple reasons why data may be leaving the internal network.  Maybe the employees are sending data out to clients with a non-malicious intent.  On the other hand, maybe an employee is trying to steal data, or an external attacker has gained entry and is now trying to ex-filtrate the data for future use.  There are two types of data leaving a network: Acceptable and unacceptable.  The first step is to determine what is acceptable data to leave the network.  This includes not only identifying the category of the data, but also how it is transmitted.  What ports does it use?  Is there a specific destination address or originating address for that data?  Once we can start to identify these items, we can then start to determine what cannot be sent out.

An example of traffic  you may want to block is VPN connections.  While a VPN connection creates a secure channel for safely connecting to a network, it also makes it difficult for the company to determine what data is being transmitted over it.  If an employee or attacker is able to create a VPN to an external source and send company confidential information through it, the company may never be aware it happened.  There are lots of other ways to send data to an outside source, so configuring your network to block these avenues is essential.

Egress filtering is the process of filtering out the data that is being transmitted to the outside of the network.  Typically, non-standard ports will be blocked as a measure to prevent data from leaving.  Malware or a virus that makes its way into the network could try sending data on a random port.  If that is the case, then by blocking all non-essential ports, the malicious software loses its ability to communicate to the outside and possibly helps reduce its impact.  Unfortunately, we are seeing more and more these malicious tools using common ports because they are known to be available. 

Once the company has adopted a solid data classification policy, other constraints like Data Loss Prevention (DLP) can be implemented to help identify data leaving the network.  In addition, network segmentation can also help protect data from being removed from the networks.   We will discuss those topics in future posts.

James Jardine is a Principal Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at james@secureideas.com, @jardinesoftware on twitter or visit the Secure Ideas – Professionally Evil site for services provided.