Egress filtering is one of the most often underestimated defenses today. We continue to see organizations that have not yet deployed strong egress filtering, which is one of the most effective controls in defending against and detecting bot-nets. Without it, outbound connections are usually a mystery to the security team and identification and interception of malware outbound command and control channels are unlikely.
To add fuel to the fire, egress filtering is cheap (you probably already have a firewall or router that can do it) and easily managed once configured. Sure, establishing the political will to see it through it can be tough, but given the threat levels and attacker techniques in play today, it is a highly critical effort. You start by examining what outbound ports you allow today, then close all ports outbound and allow only the ones that have a true business case. Once you have choked down the traffic, consider implementing application proxies where possible to further strengthen the egress traffic and rules.
Once you have appropriate proxies in place, don’t allow any outbound web traffic or the like from any host but the proxies. No outbound DNS, chat protocols or the like from the desktop world to the Internet. The more you choke this down, the easier it is to protect the desktop world from simple issues.
Egress filtering is just too easy to ignore. The level of protection and the capability to monitor outbound attempts to break the rules once in place are powerful tools in identifying compromised internal hosts. Best practices today truly includes this requirement and those interested in truly securing information should embrace egress filtering as soon as possible.
If you want help with such a project or want to learn more about scoping egress filtering in your network, let us know. We would be happy to help you!