Solved

Would an outbound ACL be an overkill?

Posted on 2016-08-26
3
62 Views
Last Modified: 2016-09-17
Hello All, today I wanted to block traffic from a couple of untrusted IPs on my ASA firewall, which I did by creating an inbound ACL applied to my external interface. The ACL specifies to block any inbound IP traffic from these addresses to any of my networks.
Would it be an overkill to create an outbound ACL applied to my inside interface that specifies to block all traffic from my LAN to any of those IPs?
One of the ACLs that I have notice in my configuration is an implied one applied to my inside interface that permits all traffic from my LAN to less trusted networks, I believe this ACL is a default one. Would I be overwriting this ACL if I apply this ACL?
0
Comment
Question by:LuiLui77
3 Comments
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 41772945
I recommend outbound ACL. Permit that which you specifically want to allow, and everything else gets blocked.

In your case, a user could initiate a connection to those untrusted IPs and it wouldn't be blocked.

My default policy is to allow users to use FTP, HTTP, and HTTPS on the standard ports. Thats it. No DNS, smtp, POP3, ssh, telnet, http over tcp/8080, etc. If something else is required, it gets added to the ACL, but it isn't permitted by default.  I also block traffic to all foreign IP addresses.

Obviously your DCs need to be able to make queries to other DNS servers, and you need access to and/or for mail servers.

You could put in the other rules first, and then log your general permit rule, so you can see what other traffic is also being passed, and then make a determination if you want to allow or block.
0
 
LVL 32

Accepted Solution

by:
harbor235 earned 500 total points
ID: 41772988
You should be concerned what is entering your network and what is leaving your network. Being concerned what leaves your network assists in your network not being used for nefarious purposes. Outbound security policies are a critical part of an overall sound security policy. You would be an easy target for a hacker if you did not prevent IP spoofing and if you did not limit protocols and systems that need or do not need egress services.

I do not mean this as a harsh statement, but if you do not understand the need for ingress and egress filtering you do not have a firm grasp on the threats that are facing your organization. It may appear as overreaching but consider the following;

I hacker or someone that has compromised one of your internal systems, they may use your system to launch DOS/DDOS, typically they do this from spoofed IP addresses. OR they may call home to a command and control node somewhere on the internet. In your  case if your internal systems only use certain applications and protocols why make it wide open from inside to out? Why make it easy? Flow collection and base lining are also key components recognizing abnormal flows.  Servers that provide internal services may not need to have internet access, updates can be performed from a centralized system.  

This is a huge topic and I briefly touched a few topics, but you should definitely filter outbound on all interfaces, log traffic that is denied to make visible who is trying to access other services, etc.... see my points?


harbor235 ;}
1
 

Author Closing Comment

by:LuiLui77
ID: 41803366
Thank you all.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now