[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Would an outbound ACL be an overkill?

Posted on 2016-08-26
3
Medium Priority
?
114 Views
Last Modified: 2016-09-17
Hello All, today I wanted to block traffic from a couple of untrusted IPs on my ASA firewall, which I did by creating an inbound ACL applied to my external interface. The ACL specifies to block any inbound IP traffic from these addresses to any of my networks.
Would it be an overkill to create an outbound ACL applied to my inside interface that specifies to block all traffic from my LAN to any of those IPs?
One of the ACLs that I have notice in my configuration is an implied one applied to my inside interface that permits all traffic from my LAN to less trusted networks, I believe this ACL is a default one. Would I be overwriting this ACL if I apply this ACL?
0
Comment
Question by:LuiLui77
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 41772945
I recommend outbound ACL. Permit that which you specifically want to allow, and everything else gets blocked.

In your case, a user could initiate a connection to those untrusted IPs and it wouldn't be blocked.

My default policy is to allow users to use FTP, HTTP, and HTTPS on the standard ports. Thats it. No DNS, smtp, POP3, ssh, telnet, http over tcp/8080, etc. If something else is required, it gets added to the ACL, but it isn't permitted by default.  I also block traffic to all foreign IP addresses.

Obviously your DCs need to be able to make queries to other DNS servers, and you need access to and/or for mail servers.

You could put in the other rules first, and then log your general permit rule, so you can see what other traffic is also being passed, and then make a determination if you want to allow or block.
0
 
LVL 32

Accepted Solution

by:
harbor235 earned 2000 total points
ID: 41772988
You should be concerned what is entering your network and what is leaving your network. Being concerned what leaves your network assists in your network not being used for nefarious purposes. Outbound security policies are a critical part of an overall sound security policy. You would be an easy target for a hacker if you did not prevent IP spoofing and if you did not limit protocols and systems that need or do not need egress services.

I do not mean this as a harsh statement, but if you do not understand the need for ingress and egress filtering you do not have a firm grasp on the threats that are facing your organization. It may appear as overreaching but consider the following;

I hacker or someone that has compromised one of your internal systems, they may use your system to launch DOS/DDOS, typically they do this from spoofed IP addresses. OR they may call home to a command and control node somewhere on the internet. In your  case if your internal systems only use certain applications and protocols why make it wide open from inside to out? Why make it easy? Flow collection and base lining are also key components recognizing abnormal flows.  Servers that provide internal services may not need to have internet access, updates can be performed from a centralized system.  

This is a huge topic and I briefly touched a few topics, but you should definitely filter outbound on all interfaces, log traffic that is denied to make visible who is trying to access other services, etc.... see my points?


harbor235 ;}
1
 

Author Closing Comment

by:LuiLui77
ID: 41803366
Thank you all.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
In this article, we’ll look at how to deploy ProxySQL.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question