Would an outbound ACL be an overkill?

Hello All, today I wanted to block traffic from a couple of untrusted IPs on my ASA firewall, which I did by creating an inbound ACL applied to my external interface. The ACL specifies to block any inbound IP traffic from these addresses to any of my networks.
Would it be an overkill to create an outbound ACL applied to my inside interface that specifies to block all traffic from my LAN to any of those IPs?
One of the ACLs that I have notice in my configuration is an implied one applied to my inside interface that permits all traffic from my LAN to less trusted networks, I believe this ACL is a default one. Would I be overwriting this ACL if I apply this ACL?
LuiLui77Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kevinhsiehCommented:
I recommend outbound ACL. Permit that which you specifically want to allow, and everything else gets blocked.

In your case, a user could initiate a connection to those untrusted IPs and it wouldn't be blocked.

My default policy is to allow users to use FTP, HTTP, and HTTPS on the standard ports. Thats it. No DNS, smtp, POP3, ssh, telnet, http over tcp/8080, etc. If something else is required, it gets added to the ACL, but it isn't permitted by default.  I also block traffic to all foreign IP addresses.

Obviously your DCs need to be able to make queries to other DNS servers, and you need access to and/or for mail servers.

You could put in the other rules first, and then log your general permit rule, so you can see what other traffic is also being passed, and then make a determination if you want to allow or block.
0
harbor235Commented:
You should be concerned what is entering your network and what is leaving your network. Being concerned what leaves your network assists in your network not being used for nefarious purposes. Outbound security policies are a critical part of an overall sound security policy. You would be an easy target for a hacker if you did not prevent IP spoofing and if you did not limit protocols and systems that need or do not need egress services.

I do not mean this as a harsh statement, but if you do not understand the need for ingress and egress filtering you do not have a firm grasp on the threats that are facing your organization. It may appear as overreaching but consider the following;

I hacker or someone that has compromised one of your internal systems, they may use your system to launch DOS/DDOS, typically they do this from spoofed IP addresses. OR they may call home to a command and control node somewhere on the internet. In your  case if your internal systems only use certain applications and protocols why make it wide open from inside to out? Why make it easy? Flow collection and base lining are also key components recognizing abnormal flows.  Servers that provide internal services may not need to have internet access, updates can be performed from a centralized system.  

This is a huge topic and I briefly touched a few topics, but you should definitely filter outbound on all interfaces, log traffic that is denied to make visible who is trying to access other services, etc.... see my points?


harbor235 ;}
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LuiLui77Author Commented:
Thank you all.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.