Solved

Would an outbound ACL be an overkill?

Posted on 2016-08-26
3
73 Views
Last Modified: 2016-09-17
Hello All, today I wanted to block traffic from a couple of untrusted IPs on my ASA firewall, which I did by creating an inbound ACL applied to my external interface. The ACL specifies to block any inbound IP traffic from these addresses to any of my networks.
Would it be an overkill to create an outbound ACL applied to my inside interface that specifies to block all traffic from my LAN to any of those IPs?
One of the ACLs that I have notice in my configuration is an implied one applied to my inside interface that permits all traffic from my LAN to less trusted networks, I believe this ACL is a default one. Would I be overwriting this ACL if I apply this ACL?
0
Comment
Question by:LuiLui77
3 Comments
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 41772945
I recommend outbound ACL. Permit that which you specifically want to allow, and everything else gets blocked.

In your case, a user could initiate a connection to those untrusted IPs and it wouldn't be blocked.

My default policy is to allow users to use FTP, HTTP, and HTTPS on the standard ports. Thats it. No DNS, smtp, POP3, ssh, telnet, http over tcp/8080, etc. If something else is required, it gets added to the ACL, but it isn't permitted by default.  I also block traffic to all foreign IP addresses.

Obviously your DCs need to be able to make queries to other DNS servers, and you need access to and/or for mail servers.

You could put in the other rules first, and then log your general permit rule, so you can see what other traffic is also being passed, and then make a determination if you want to allow or block.
0
 
LVL 32

Accepted Solution

by:
harbor235 earned 500 total points
ID: 41772988
You should be concerned what is entering your network and what is leaving your network. Being concerned what leaves your network assists in your network not being used for nefarious purposes. Outbound security policies are a critical part of an overall sound security policy. You would be an easy target for a hacker if you did not prevent IP spoofing and if you did not limit protocols and systems that need or do not need egress services.

I do not mean this as a harsh statement, but if you do not understand the need for ingress and egress filtering you do not have a firm grasp on the threats that are facing your organization. It may appear as overreaching but consider the following;

I hacker or someone that has compromised one of your internal systems, they may use your system to launch DOS/DDOS, typically they do this from spoofed IP addresses. OR they may call home to a command and control node somewhere on the internet. In your  case if your internal systems only use certain applications and protocols why make it wide open from inside to out? Why make it easy? Flow collection and base lining are also key components recognizing abnormal flows.  Servers that provide internal services may not need to have internet access, updates can be performed from a centralized system.  

This is a huge topic and I briefly touched a few topics, but you should definitely filter outbound on all interfaces, log traffic that is denied to make visible who is trying to access other services, etc.... see my points?


harbor235 ;}
1
 

Author Closing Comment

by:LuiLui77
ID: 41803366
Thank you all.
0

Featured Post

Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Access point 6 54
Tagging ports on a managed switch 6 49
wireshark 2 computers 8 40
How to set DHCPv6 options on a Sonicwall? 13 67
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

947 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now