March 6, 2014

Outbound firewall rules any good?

Maybe to slow down deployment of trojans/botnets. Outbound filtering is not of much use beyond that. Here's why.

Tools to build outbound firewall exist, but the ruleset keeps growing and changing constantly, which makes outbound firewalls hard to maintain.

Opening just the basic outbound ports (ICMP, DNS, HTTP, HTTPS) has little impact on security. Botnets use port 80 to connect to C&C servers.

DNS should be restricted to the configured DNS server since it can be used to construct tunnels through the firewall.

ICMP can be used to send/receive arbitrary payload. It can be used to open tunnel through the firewall. The only option available to the poor system administrator is to disable it completely.

HTTP will require transparent proxy in order to provide reasonable domain-level filtering. Domains are hard to filter on iptables layer. Nevertheless such domain-level filtering is where the outbound firewall gets complicated.

HTTPS requires man-in-the-middle attack in order to be intercepted on transparent proxy for the purpose of domain-level filtering. That's unreasonably complicated. I bet most people don't do it. And even such "transparent" proxy can still break some software.

Proper trojan protection would require user account isolation and maybe tricks like SELinux to be effective.

Outbound proxy is thus of little use. I will nevertheless implement the 4-port restriction as a starting point for possible future filtering.

No comments:

Post a Comment