Jump to content

Egress filtering: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
Monkbot (talk | contribs)
m top: Task 16: replaced (2×) / removed (0×) deprecated |dead-url= and |deadurl= with |url-status=;
added ',' after typically
Line 1: Line 1:
In [[computer networking]], '''egress filtering''' is the practice of monitoring and potentially restricting the flow of information outbound from one network to another. Typically it is information from a private [[TCP/IP]] computer network to the [[Internet]] that is controlled.
In [[computer networking]], '''egress filtering''' is the practice of monitoring and potentially restricting the flow of information outbound from one network to another. Typically, it is information from a private [[TCP/IP]] computer network to the [[Internet]] that is controlled.


TCP/IP packets that are being sent out of the internal network are examined via a [[router (computing)|router]], [[Firewall (computing)|firewall]], or similar [[edge device]]. Packets that do not meet security policies are not allowed to leave – they are denied "egress".<ref>Robert Gezelter (1995) ''Security on the Internet'' Chapter 23 in Hutt, Bosworth, and Hoytt (1995) "Computer Security Handbook, Third Edition", Wiley, section 23.6(b), pp 23-12, et seq.</ref>
TCP/IP packets that are being sent out of the internal network are examined via a [[router (computing)|router]], [[Firewall (computing)|firewall]], or similar [[edge device]]. Packets that do not meet security policies are not allowed to leave – they are denied "egress".<ref>Robert Gezelter (1995) ''Security on the Internet'' Chapter 23 in Hutt, Bosworth, and Hoytt (1995) "Computer Security Handbook, Third Edition", Wiley, section 23.6(b), pp 23-12, et seq.</ref>

Revision as of 10:51, 23 February 2022

In computer networking, egress filtering is the practice of monitoring and potentially restricting the flow of information outbound from one network to another. Typically, it is information from a private TCP/IP computer network to the Internet that is controlled.

TCP/IP packets that are being sent out of the internal network are examined via a router, firewall, or similar edge device. Packets that do not meet security policies are not allowed to leave – they are denied "egress".[1]

Egress filtering helps ensure that unauthorized or malicious traffic never leaves the internal network.

In a corporate network, typical recommendations are that all traffic except that emerging from a select set of servers would be denied egress.[2][3][4][5] Restrictions can further be made such that only select protocols such as HTTP, email, and DNS are allowed. User workstations would then need to be configured either manually or via proxy auto-config to use one of the allowed servers as a proxy.

Corporate networks also typically have a limited number of internal address blocks in use. An edge device at the boundary between the internal corporate network and external networks (such as the Internet) is used to perform egress checks against packets leaving the internal network, verifying that the source IP address in all outbound packets is within the range of allocated internal address blocks.

Egress filtering may require policy changes and administrative work whenever a new application requires external network access. For this reason, egress filtering is an uncommon feature on consumer and very small business networks.

See also

References

  1. ^ Robert Gezelter (1995) Security on the Internet Chapter 23 in Hutt, Bosworth, and Hoytt (1995) "Computer Security Handbook, Third Edition", Wiley, section 23.6(b), pp 23-12, et seq.
  2. ^ "Malware Threats and Mitigation Strategies" (PDF). Us-cert.gov. Retrieved 2015-06-20.
  3. ^ "Holistic View of Securing IP-based Industrial Control System Networks" (PDF). Ics-cert.us-cert.gov. Archived from the original (PDF) on 2014-01-23. Retrieved 2015-06-20.
  4. ^ "Mitigation Monday # 2" (PDF). Nsa.gov. Archived from the original (PDF) on 2015-06-19. Retrieved 2015-06-20.
  5. ^ "Controlling Outbound DNS Access". United States Computer Emergency Readiness Team. U.S. CERT.