Controlling the “In”? Don’t forget the “Out”!

Yellow SignDo you remember the good old times? When I put my hands on my first firewall (somewhere around 1997-1998 – wow, time flies!), it was to kick out all the bad guys playing on the Internet. And, at this epoch, not all firewalls had a default last-resort rule like “Any > Any: Drop”! Later, the infosec landscape highlighted the wonderful “security perimeter”: Your network was like a castle with big walls! No one could enter! What a wonderful world!

Some times later, companies realised that their users were first of all people with human behaviours, trying to surf the web during business hours. Some of them switched to a new profile: malicious insiders! It was time to also inspect and block the outgoing traffic.

Today, generally speaking, solutions are in place to inspect what is called the “egress” traffic (the opposite of “ingress”). Wikipedia defines “egress filtering” as follow:

In computer networking, egress filtering is the practive of monitoring and potentially restricting the flow of information outbound from one network to another. Typically, it is information from a private TCP/IP network to the Internet that is controlled. TCP/IP packets that are being sent out of the internal network are examined via a router or firewall. Packets that do not meet security policies are not allowed to leave – they are denied “egress”. Egress filtering helps ensure that unauthorised or malicious traffic never leaves the internal network.

Implementing egress filtering is not always bullet-proof but it is a good start. Today, traffic like HTTP(s), DNS, SMTP cannot reach the Internet directly. So, what about your home network? If most DSL residential routers include firewall features, they remain basic and egress filters are often disabled by default. Here is an example of egress filter on a Belgacom BBox router:

Egress Filter

What types of devices can we find in a home network today?

  • Computers
  • Game consoles
  • Printers
  • Phones
  • WiFi devices (tablets, smartphones)
  • Webcams
  • Storage devices (NAS)
  • Media players
  • Heating systems, fridges
  • Smart meters
  • Smart TV’s
  • Miscelaneous sensors
And the list is growing every day! M2M (or “Machine to machine”) traffic keeps increasing. Recently, bad stories were released by two security bloggers about the LG Smart TV’s which phone home and send information collected about user’s behaviour (links here and here). For sure, expect more of such stories in the future! I think that, like companies years ago, we will have to implement egress filtering on our home networks! To prevent two threats:
  • Malware infections (callback to C&C)
  • Your privacy! (like the LG story)
The first one can be addressed by classic ways like security awareness for your family and a <cough>good<cough> antivirus. The second one is more nasty and we must struggle against companies stealing our data. At home, my online devices have no direct access to the Internet, HTTP traffic is inspected by a proxy and I’m running an internal DNS resolver with a blacklist of prohibited domains. Both, combined with an IDS, send their findings to a Splunk instance. The proverb says: “Cobblers children are worst shod” but we can’t follow this in infosec, please! Of course, this is not a solution that can be easily implemented in every houses, protecting your privacy has a cost! To reduce the risks, you can split your network in two subnets:
  • Assign a fixed IP address to trusted devices
  • Reserve a small DHCP IP pool for unknown (friends, visitors, …) or new devices and prevent this pool to access directly the Internet
While connecting a new device (like a Smart TV), consider it as “untrusted” and have a look at the generated traffic for a while (when you turn it on or off, when you use it). Keep this in mind: more and more domestic devices will be connected over TCP/IP in the future collecting more and more data about us. Have a look at this video published by Splunk:

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.