Most small business firewalls are poorly implemented – in fact we find a properly configured firewall to be quite rare in the small-medium business sector.
The problem stems from the word ‘Firewall’, it tends to be understood as a device to ‘keep the bad guys out’. The main problem is that unlike the firewall in you car, the fire can start on either side.
Most inexperienced or ‘gunslinger’ IT providers make this assertion and tend to install a firewall to protect from inbound attacks only. The fact that most consumer-grade ‘firewall’ devices allow only inbound filter rules to be set is another reason most inexperienced installers don’t see the problem here.
An attacker might not get in by knocking on the door, but will when someone holds the door open for them.
Attacks on businesses come in two types, one is penetration from the outside, the other is internal user-initiated, i.e. an attacker targets the users of the internal network in order to have them click something they shouldn’t (ever had SPAM with a link?). Once the user does this, an attacker may roam inside your network completely undetected despite the firewall blocking all access from outside the network. Effectively, an attacker might not get in by knocking on the door, but will when someone holds the door open for them.
By developing an outgoing (Egress) policy on the firewall, you have the ability to mitigate these types of malicious attacks by ensuring that any unexpected traffic coming from inside your network will never reach the outside world. Of course, this requires that ‘unexpected traffic’ be defined. In order to do this, RawInfoSec analyses your network traffic and compares this to the software installed on your workstations. We develop a list of outgoing traffic requirements and this becomes the company’s Firewall Egress Policy. This policy is built and tested on your firewall to ensure that your business needs are met first and foremost while all other traffic is dropped.
If your IT provider installed and tested your firewall in an hour or two (like most do), you are certainly at risk.
Using Firebind to test your current egress filtering.
Click here to test some ports using Firebind’s Egress Tool (IsMyPortBlocked).
- Port 25 – A successful connection means your internal network workstations can be used to send SPAM. Proper egress filtering should allow traffic only to your own mail servers on this port.
- Port 6667 – A successful connection means your workstation is able to be remotely controlled as part of a bot-net (commonly installed via Spyware). Proper egress filtering should block this port (and the block of ports) typically used by IRC.
- SANS Institute Egress Filtering FAQ
- SecuritySkeptic – Firewall Best Practices: Egress Traffic Filtering