Hack 37 Keep Your Network Self-Contained

Use egress filtering to mitigate attacks and information leaks coming from your network.

You're probably familiar with the concept of firewalling as it applies to blocking traffic coming into your network. Have you considered the benefits of filtering traffic that leaves your network? For instance, what would happen if someone compromised a host on your network and used it as a platform to attack other networks? What if a worm somehow made it onto your network and tried to infect hosts across the Internet? At the very least, you would probably receive some angry phone calls and emails. Luckily, filtering your outbound traffic otherwise known as egress filtering can help to contain such malicious behavior. Egress filtering can not only protect others from attacks originating from your network, but can also be used to enforce network usage policies and make sure information doesn't leak out of your network onto the wider Internet. In many situations, egress filtering is just as important as filtering inbound traffic.

The general guideline when crafting egress-filtering rules is the same as when constructing any inbound-filtering rule devices should only be allowed to do what they were meant to do. That is, a mail server should only be allowed to serve and relay mail, a web server should only be allowed to serve web content, a DNS server should only service DNS requests, and so on. By ensuring that this policy is implemented, you can better contain the threats mentioned earlier.

It may also be a good idea to force users to use internal services rather than Internet services wherever possible. For example, if you are using your own DNS servers, clients shouldn't be able to connect to external DNS servers to resolve hostnames. If a client is allowed to do this, you risk the chance that they will reveal intranet hostnames to outside parties when the client attempts to resolve an internal hostname through an external DNS server.

For instance, this restriction can be accomplished in OpenBSD with a rule like this:

rdr on $INT_IF inet proto { tcp, udp } from $INT_IF:network to any port 53  -> $DNS_SERVER port 53

Of course, you'll need to set INT_IF to the interface facing your internal network and set DNS_SERVER to the IP address of your internal DNS server.

Similarly, if you're running an internal mail server, then company email need never cross the Internet. If you have gone to the trouble of setting up an internal email server, do you really want your employees to be able to connect to servers outside your network?

You can do this with a similar rule:

rdr on $INT_IF inet proto tcp from $INT_IF:network to any port 25 -> $SMTP_HOST port 25

Egress filtering can also prevent IP spoofing. By filtering on your external interface at the border of your network, you can verify that packets leaving your network have source addresses that match your address space. By filtering all other traffic, you can ensure that any IP spoofing attack performed from your network or routed through it will be dropped before the packets are able to leave.