In computer networking, egress filtering is the practice of monitoring and potentially restricting the flow of information outbound from one network to another. Typically it is information from a private TCP/IP computer network to the Internet that is controlled.
TCP/IP packets that are being sent out of the internal network are examined via a router or firewall. Packets that do not meet security policies are not allowed to leave - they are denied "egress".
Egress filtering helps ensure that unauthorized or malicious traffic never leaves the internal network.
In a corporate network, typically all traffic except that emerging from a select set of servers would be denied egress. Restrictions can further be made such that only select protocols such as HTTP, email, and DNS are allowed. User workstations would then need to be set to use one of the allowed servers as a proxy. Direct access to external networks by the internal user workstation would not be allowed.
Edge networks, whether multi-homed or not, usually have a limited number of address blocks in use. Such edge networks should filter packets leaving their networks, verifying that the source IP address in all packets is within the allocated address blocks. Enterprises, universities and others who run edge networks should be doing this. The purpose is to prevent computers on your network from spoofing (acting as another). Implementation for edge networks of egress packets in this way is very simple and should be done with access lists.
Egress filtering may require policy changes and administrative work whenever a new application requires external network access. For this reason egress filtering is an uncommon feature on consumer and very small business networks.
The recent appearance of botnets within private networks has increased the use of egress filtering by security-conscious organizations.[citation needed]
Egress filtering is also becoming required for those who are compliant with the PCI DSS, as it requires egress filtering from any server in the card holder environment. This is seen in PCI-DSS v1.2, sections 1.2.1, and 1.3.5.
See also
- Ingress filtering
- IP address spoofing
- Web Proxy Autodiscovery Protocol
- Storm botnet
External links
