Egress filtering
Encyclopedia
In computer networking, egress filtering is the practice of monitoring and potentially restricting the flow of information outbound from one network to another. Typically it is information from a private TCP/IP computer network to the Internet
that is controlled.
TCP/IP packets that are being sent out of the internal network are examined via a router or firewall
. Packets that do not meet security policies are not allowed to leave - they are denied "egress".
Egress filtering helps ensure that unauthorized or malicious traffic never leaves the internal network.
In a corporate network, typically all traffic except that emerging from a select set of servers
would be denied egress. Restrictions can further be made such that only select protocols such as HTTP, email
, and DNS
are allowed. User workstations would then need to be set to use one of the allowed servers as a proxy
. Direct access to external networks by the internal user workstation would not be allowed.
Egress filtering may require policy changes and administrative work whenever a new application requires external network access. For this reason egress filtering is an uncommon feature on consumer and very small business networks.
The recent appearance of botnets within private networks has increased the use of egress filtering by security-conscious organizations.
Egress filtering is also becoming required for those who are compliant with the PCI DSS, as it requires egress filtering from any server in the card holder environment. This is seen in PCI-DSS v1.2, sections 1.2.1, and 1.3.5.
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
that is controlled.
TCP/IP packets that are being sent out of the internal network are examined via a router or firewall
Firewall (computing)
A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....
. Packets that do not meet security policies are not allowed to leave - they are denied "egress".
Egress filtering helps ensure that unauthorized or malicious traffic never leaves the internal network.
In a corporate network, typically all traffic except that emerging from a select set of servers
Server (computing)
In the context of client-server architecture, a server is a computer program running to serve the requests of other programs, the "clients". Thus, the "server" performs some computational task on behalf of "clients"...
would be denied egress. Restrictions can further be made such that only select protocols such as HTTP, email
Email
Electronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
, and DNS
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
are allowed. User workstations would then need to be set to use one of the allowed servers as a proxy
Proxy server
In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...
. Direct access to external networks by the internal user workstation would not be allowed.
Egress filtering may require policy changes and administrative work whenever a new application requires external network access. For this reason egress filtering is an uncommon feature on consumer and very small business networks.
The recent appearance of botnets within private networks has increased the use of egress filtering by security-conscious organizations.
Egress filtering is also becoming required for those who are compliant with the PCI DSS, as it requires egress filtering from any server in the card holder environment. This is seen in PCI-DSS v1.2, sections 1.2.1, and 1.3.5.
See also
- Ingress filteringIngress filteringIn computer networking, ingress filtering is a technique used to make sure that incoming packets are actually from the networks that they claim to be from.- Problem :...
- IP address spoofingIP address spoofingIn computer networking, the term IP address spoofing or IP spoofing refers to the creation of Internet Protocol packets with a forged source IP address, called spoofing, with the purpose of concealing the identity of the sender or impersonating another computing system.-Background:The basic...
- Web Proxy Autodiscovery ProtocolWeb Proxy Autodiscovery ProtocolThe Web Proxy Auto-Discovery Protocol is a method used by clients to locate a URL of a configuration file using DHCP and/or DNS discovery methods. Once detection and download of the configuration file is complete it can be executed to determine the proxy for a specified URL...
- Storm botnetStorm botnetThe Storm botnet or Storm worm botnet is a remotely controlled network of "zombie" computers that have been linked by the Storm Worm, a Trojan horse spread through e-mail spam...
External links
- http://www.nsa.gov/ia/_files/routers/C4-040R-02.pdf
- http://www.us-cert.gov/reading_room/malware-threats-mitigation.pdf
- https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf