Outbound Internet Access

Previous page
Table of content
Next page

The concept of outbound Internet access really relates back to perimeter defenses. However, the protection of such access is so often neglected within the average organization that I felt it warranted its own section in this book. As I mentioned previously, outbound Internet access (when internal employees access the Internet) poses security issues that are often overlooked. There are many inherent dangers in allowing employees to access the Internet that should be taken into consideration when developing Internet security practices.

Applying the Rules of Security to Outbound Internet Access

When allowing employees to access the Internet, some specific rules should be kept in mind. Giving someone Internet access is a powerful action with many potential consequences. By using the following rules, we better manage the security of our Internet users and protect our organization:

Rule of the Three-Fold Process

It is important that any system accessing the Internet be kept up-to-date with the latest security patches. This is especially true for those browsing the Internet with a Web browser. Web browsers are usually full of great features and horrible vulnerabilities. Users that access the Internet must be using properly maintained systems and have had at least some basic Internet security training.

As far as monitoring is concerned, logging outbound Internet access is normally not possible due to the tremendous number of logs that would be generated. It is a good idea to require some form of access authorization before users are allowed to explore the Internet. This way, it will be possible to log systems that attempt to access the Internet without first authenticating. Such logs can point out systems that have back door programs, worms, and other automated applications that attempt to open connections to the Internet without the knowledge or permission of the end-user.

Rule of Least Privilege

Yes, the Rule of Least Privilege even applies to outbound Internet access. Organizations are highly discouraged from allowing all employees to access the Internet freely; such practices make it extremely difficult to enforce outbound access security. I have already discussed issues with attacks riding back on connections initiated from inside an organization and automated applications that establish outbound tunnels. Additionally, the Internet hosts many destructive tools, malicious scripts, viruses, and many sites that attempt to trick employees into giving away valuable information. Given the many dangers in allowing Internet access, the following controls are recommended:

  • No employee should have access to the Internet unless required Allowing an end-user access to the Internet should not be taken lightly. Every individual who is allowed to access the Internet from the internal network adds some level of exposure to the environment. Internet access is a powerful tool, and this should be considered when distributing access accounts. End-users accessing the Internet should also have some degree of training in security awareness.

  • Only systems of a non-critical nature should be allowed to access the Internet By allowing a system to access the Internet, we increase the exposure of that system. As a general rule, critical servers should never be allowed to access the Internet unless required by their function.

  • Internet access should be restricted to Web pages with appropriate content Hacker Web sites provide a variety of tools for the curious employee to download. Such sites oftentimes have malicious coding designed to crash the end-user's system. A content filter is recommended for outbound Internet access and it should be configured to restrict access to hacker Web sites. Though it is impossible to prevent 100% access to such sites, the goal is to limit exposure to the average user.

  • Internet access should be monitored No, this does not mean that we will be up at 5:00 a.m. watching employees check the new Lotto numbers. However, in many situations, it is vital that the organization have the ability to monitor end-user actions on the Internet if ever needed. For an organization to be able to monitor, log, or track employee activities, a policy stating so needs to be signed by each employee.

Outbound Zoning (Proxies)

If we look back to the sample zoning scenarios I provided earlier, we see that there are zoning scenarios designed to address outbound access. Such zones implement a relay system to carry out requests on the end-user's behalf. With Internet access, this usually involves the implementation of a proxy server. Proxy servers are a great way to protect internal systems that need to access external entities like the Internet. Proxies provide protection for the entire session and allow for content filtering, virus scanning, Java script blocking, authentication, access monitoring, and other useful features. Quite often, an organization will implement a packet filtering firewall to stand between the Internet and the internal networks, and it will also implement a basic proxy server that simply forwards requests to the Internet on behalf of the users. This type of solution provides optimal protection when accessing the Internet.


Previous page
Table of content
Next page
Inside the Security Mind(c) Making the Tough Decisions
Inside the Security Mind: Making the Tough Decisions
ISBN: 0131118293
EAN: 2147483647
Year: 2006
Pages: 119
Authors: Kevin Day
BUY ON AMAZON
OpenSSH: A Survival Guide for Secure Shell Handling (Version 1.0)
Metrics and Models in Software Quality Engineering (2nd Edition)
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
GDI+ Programming with C#
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy