What is egress filtering and why use it?


Why Use Egress Filtering?

Internet Egress Security

Outbound or Egress controls prevent unauthorized access by internal resources to possibly dangerous endpoints out there in the wilds of the internet. A properly secured VPC will ensure that only trusted sites are accessible, thus reducing the risk of your digital services interacting with any unsavory entities as well as preventing any possible infections that may have occurred within your servers from dialing home to their command-and-control locations.

Deep-dive into Egress Security & Filtering

Egress filtering involves controlling any form of data bound to an external entity, passing through the edge router of the host network to reach its destination node. A number of policies or filter rulesets have to be tested against before an outbound connection is allowed, otherwise, a dangerous host might be the target of a request from one of your machines. Egress-Only Internet Gateways are used to prevent the internet from initiating an IPV6 connection with your instances by only allowing outbound communication over IPv6 from instances in your VPCs to the Internet.

Traffic from the instances in the subnet are forwarded by the egress-only Internet gateway to other AWS services or the Internet and consequential response sent back. An egress-only Internet gateway is created using the Amazon VPC console

A number of techniques can be used egress filtering: deploying anti-spoofing filters that prevent the outbound of flow of traffic with forged source addresses such as those from Distributed denial of service attack. Certain services are usually reserved for internal networks and can be associated with exploitation, therefore, a filter for internal-only services are essential. Services often associated with malicious activities and those that should be restricted to a smaller number of known hosts should be filtered.

AWS VPCs provide NAT gateways but they have native AWS IP address limitations, and therefore egress traffic filtering can help mitigate data exfiltration from network assets. A Deny-All outbound policy, packet filters or firewall rule ensures nothing leaves the network without explicit permission, except those services identified in the egress traffic enforcement policy. The administrator can access the network and systems through granular restrictive rules. Limiting the addresses allowed to send data to the internet by configuring a policy that prevents IP spoofing which would allow the only source addresses from the IP network numbers assigned to pass the firewall in the internal network. Appropriate subnet masks should be applied to only pass traffic from address spaces that are actually used and block traffic from any private addresses from being forwarded over your internet circuit. Any network segments or VLANs that have no business establishing a network connection to internet servers should be blocked. Destination addresses that are listed in the DROP (Don’t route or peer) or BGP filter lists should not create any outbound connections. Web proxy performs URL and content filtering for HTTP to only allow outbound connections through the firewall from the proxies. For firewalls that negotiate and exchange PPP over Ethernet, blocking routing protocols at the firewall is essential.

Best Practices for Egress Filtering

Use a proxy whenever possible

By using proxy breakpoints in the network, your firewalls can only accept traffic from a few proxies and not the entire network. This limits the amount of traffic reaching the firewall and adds an extra layer of security to your outgoing traffic.

Use firewall configuration review tools

If the firewall is not configured for output filtering at the outset, its rule set is probably configured to allow unfiltered outbound access. However, since most firewalls have thousands or even tens of thousands of firewall rules, it is not practical to manually scan them to identify which ones are at risk. By using a firewall rule set parser against your firewall rule sets, you can immediately identify risks within the firewall, including rules allowing outbound at-risk traffic as well as open ports. Be sure to visualize these risks and evaluate the systems that use them.

Business Justification for Firewall Outbound Rules

Once all the outbound rules are locked in your firewall, create a policy that dictates that all future outbound rules are documented with business justification, why these rules were created, who uses them, which applications and which systems use them and who are the owners of the originating business process. This is not only useful for audits, but it is also useful to know what your firewall rules are for, especially when they allow packets to leave your network.

Review Security Zones

It is likely that your network has a DMZ zone, PCI zone, or other sensitive network segments that would not be directly accessible. These are key areas of your network, and firewalls for data entry and exit must be subject to even more scrutiny and control. Their firewalls must be treated with the same logging, reviewing, and managing procedures as your other firewalls interacting with external networks and are audited with regular frequency.