Why do I need outbound firewall policies?
Posted on 14 October 2024 by Rachael WhiteWhat do firewalls do?
It is normal to protect your network by restricting inbound traffic by using firewall rules to control which external IP addresses and ports that can connect to your internet router or via Network Address Translations (NAT) to an internal device.
It was once fairly common practice to allow any internal device access to any external address on any port. The reasoning behind this approach was that inbound traffic from malicious servers would be blocked, preventing infection of internal devices. Meanwhile, internal devices had unlimited access to be able to browse the web and any other services without any risk of the firewall blocking and causing issues for users.
Why control outbound traffic?
Take for an example the following scenario that shows a Command and Control (C&C) infection:
- A user on a computer connects to a malicious website and clicks on a link that downloads a piece of malware without the user’s knowledge.
- The malware installs but for it to call home to the control server and to avoid detection, it uses a random port, say tcp/45678
- Firewall allows the outbound connection from the infected device
- Due to the traffic originating from inside the network to outside the firewall allows the return connection from the control server
- The control server now has remote access to the infected internal device
How can I stop this?
To mitigate against the above scenario, we apply some basic outbound firewall rules and deny any other inside to outside traffic.
- Allow tcp/443 (HTTPS) and if required tcp/80 (HTTP) from internal device to any external address
- If required Domain Name Server as your router or an internal server should be responding to lookups, you would need to give the specific internal DNS servers IP address access to tcp/53 (DNS) and preferably only to your ISPs Name Servers.
- Any other ports required for internal systems to function, such as udp/123 (NTP), tcp/22(SFTP) and again, if possible, locked down to specific internal to external addresses.
- Final rule at the bottom of outbound is Deny any address to any port.
Now, if we go through the original scenario again:
- A user on a computer connects to a malicious website and clicks on a link that downloads a piece of malware without the user’s knowledge.
- Our firewall rules allow tcp/443 (HTTPS) outbound to any external address.
- The malware installs but for it to call home to the control server and to avoid detection, it uses a random port, say tcp/45678
- The firewall will block the outbound tcp/45678 connection due to the Deny any address to any port at the end of rules
- The control server can no longer gain remote access to the infected internal device due to the firewall rules.
This is also true for local firewalls on each device such as Microsoft’s Windows Defender Firewall, which can control both inbound and outbound connections to each computer.
Firewall Glossary
- Command and Control (C&C) is a type of malicious attack where a user unknowingly installs code that enables a backdoor connection to allow remote control over the device.
- Domain Name System (DNS) is a server that converts a website address to its IP address.
- Firewall a device or software that monitors and controls inbound and outbound traffic by the use of rules.
- Hypertext Transfer Protocol (HTTP) is a protocol that is used to display webpages on a device.
- Hypertext Transfer Protocol Secure (HTTPS) is an extension of the HTTP protocol that adds encryption to the data transfer to increase security of the data.
- Internet Service Provider (ISP) is a company that provides access to the internet.
- Malware is a piece of malicious software that’s developed by cybercriminals.
- Network Time Protocol (NTP) is a protocol used to keep networked devices on the correct time.
- Secure File Transfer Protocol (SFTP) is a protocol that allows transfer of files secured by encryption.
- Transmission Control Protocol (TCP) is one of the main protocols that allow communications between network devices.
- User Datagram Protocol (UDP) is a communication protocol used for time sensitive applications.