Would an outbound ACL be an overkill?

Hello All, today I wanted to block traffic from a couple of untrusted IPs on my ASA firewall, which I did by creating an inbound ACL applied to my external interface. The ACL specifies to block any inbound IP traffic from these addresses to any of my networks.
Would it be an overkill to create an outbound ACL applied to my inside interface that specifies to block all traffic from my LAN to any of those IPs?
One of the ACLs that I have notice in my configuration is an implied one applied to my inside interface that permits all traffic from my LAN to less trusted networks, I believe this ACL is a default one. Would I be overwriting this ACL if I apply this ACL?
LuiLui77Asked:
Who is Participating?
 
harbor235Connect With a Mentor Commented:
You should be concerned what is entering your network and what is leaving your network. Being concerned what leaves your network assists in your network not being used for nefarious purposes. Outbound security policies are a critical part of an overall sound security policy. You would be an easy target for a hacker if you did not prevent IP spoofing and if you did not limit protocols and systems that need or do not need egress services.

I do not mean this as a harsh statement, but if you do not understand the need for ingress and egress filtering you do not have a firm grasp on the threats that are facing your organization. It may appear as overreaching but consider the following;

I hacker or someone that has compromised one of your internal systems, they may use your system to launch DOS/DDOS, typically they do this from spoofed IP addresses. OR they may call home to a command and control node somewhere on the internet. In your  case if your internal systems only use certain applications and protocols why make it wide open from inside to out? Why make it easy? Flow collection and base lining are also key components recognizing abnormal flows.  Servers that provide internal services may not need to have internet access, updates can be performed from a centralized system.  

This is a huge topic and I briefly touched a few topics, but you should definitely filter outbound on all interfaces, log traffic that is denied to make visible who is trying to access other services, etc.... see my points?


harbor235 ;}
1
 
kevinhsiehCommented:
I recommend outbound ACL. Permit that which you specifically want to allow, and everything else gets blocked.

In your case, a user could initiate a connection to those untrusted IPs and it wouldn't be blocked.

My default policy is to allow users to use FTP, HTTP, and HTTPS on the standard ports. Thats it. No DNS, smtp, POP3, ssh, telnet, http over tcp/8080, etc. If something else is required, it gets added to the ACL, but it isn't permitted by default.  I also block traffic to all foreign IP addresses.

Obviously your DCs need to be able to make queries to other DNS servers, and you need access to and/or for mail servers.

You could put in the other rules first, and then log your general permit rule, so you can see what other traffic is also being passed, and then make a determination if you want to allow or block.
0
 
LuiLui77Author Commented:
Thank you all.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.