Background and Function

In dealing with customers having huge networks, we were shocked to realize that many had misconceptions about what the term "egress" actually means. There are a number of ways to look at ingress and egress and since much of this book references RFCs and network-specific etymology, it is important to note that we are not using the definition of egress from RFC 2827. Instead, the term egress is used in this book to describe traffic leaving an organization's network. Ingress is the reverse: traffic entering an organization's network. Figure 9-1 illustrates both ingress and egress.

image from book
Figure 9-1: Traffic ingress and egress

Egress isn't talked about much with regard to network defense techniques. That's because once something "is in," most security managers feel as though the battle is over and that it's now about assessing the damage, managing the intrusion, and cleaning up. With the advent of botnets , Trojans, and malware that "phone home," more and more attention is being paid to network egress defenses and it's our opinion that all networks should monitor and restrict egress wherever possible. Why? Everyone knows that network security is a matter of raising the bar higher than the next guy so that his network gets more attention from the attackers than yours. While this isn't always the case (there are some target-rich environments that are under attack all day every day, such as the U.S. Department of Defense), in most cases, the best way to protect your network is to make it that much more difficult to work with than your neighbor's.

Since most attackers are merely script kiddies standing on the shoulders of giants (the few among us that live to find weaknesses in systems and software), their tool sets are limited. That means even if they are able to infiltrate, if you limit their capabilities with regard to what they can take out of the organization or where within it they can go, they will have limited success (and consequently, limited interest in continuing). During incident response situations, we've seen kits and tools left abandoned on infiltrated systems that were unusable because of certain network conditions. We know of other tools and methods that could have been used to get around those conditions, but the attacker didn't. This is why raising the bar works: even if you can't keep out the smartest guy in the world, you may not have toyou're protecting your network from everyone, not just the smartest guy in the world.

It's been a rare but sweet occasion when we've seen attackers successfully exploit a vulnerability in a corporate information system and then fail to realize the fruits of their labors because the egress filters put in place by the target organization's savvy network administrator saved the day. By restricting the attackers' flexibility in egress options, you'll limit their ability to control their exploits once they infiltrate your network. This must be a critical aspect of your defense strategy.



Extreme Exploits. Advanced Defenses Against Hardcore Hacks
Extreme Exploits: Advanced Defenses Against Hardcore Hacks (Hacking Exposed)
ISBN: 0072259558
EAN: 2147483647
Year: 2005
Pages: 120

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net