This is part 1 of a discussion around wide open outbound Internet access policy.
We encounter many clients that have no outbound restrictions in place on their firewall policy. Their firewall is essentially wide open to the Internet, because they allow any machine on the internal network to make connections to any explicit Internet host on any service port. Essentially, they have a rule (or rules) that says “allow my entire internal network to reach all Internet destinations for any application for any purposes at all.” That configuration has serious security risks that all clients should understand.
Below is a brief discussion that highlights some of the more acute aspects of the risks. Part 2 will discuss solution methods.
A wide open outbound policy allows internal hosts within your network to reach their own choice of any Internet DNS server and this exposes those hosts to:
- The risk of communicating with (or phoning home to) C&C hosts. If a machine in the internal network is infected with malware such as ransomware then a last line of defense against broader damage to the entire end point inventory is to stop the malware from communicating with C&C servers. A firewall policy that blocks access to DNS servers helps to protect against malware that is trying to phone home through the DNS service ports.
- The risk of being redirected to phishing sites. Allowing access to phishing sites is a very bad idea and should be stopped. Therefore, blocking DNS access to the Internet stops access to DNS servers that have been affected by cache poisoning or other forms of compromise. DNS servers that have been affected in this way become a platform for spreading phishing sites.
Unrestricted Access to C&C Servers
A wide open outbound policy allows all the hosts within a network to connect to C&C hosts directly and without restriction. If an internal machine is infected with malware (especially ransomware), it generally cannot do any harm until the malware makes a connection to a command and control host which are out there on the Internet somewhere. Once the connection to a C&C host is made, then the malware is activated and weaponized. The compromised host is now controlled by malicious people who seek to do harm, steal and extort. A simple solution is to install a C&C host list onto the firewall and to block access to those hosts.
- C&C host lists are not being utilized to block and monitor for known C&C hosts. Use C&C block lists and deny access to them.
- Open ports can be used by malware to control infected machines. Blocking C&C hosts helps to stop malware from being weaponized on compromised internal machines.
Non-Corporate Application Use
Non-corporate applications, including Tor (and many others), can be used in your network, which increases the risk of malware entering the environment. With a completely open outbound policy, there is nothing to stop almost any kind of application from operating once it is installed on an internal machine. This means that both good and bad applications can reach the Internet. So although the open policy allows for ease of use (for systems administrators), it also introduces significant risks attached to users operating applications that are in the range from very dangerous through to not corporate authorized to outright illegal.
Internal machines are able to connect to external proxies via unusual ports to circumvent any URL filtering controls you may have in place.
- Internal machines are able to connect to various risky Internet services such as public anonymizers, public proxies and public VPNs that make it easy to leak data from your organization and bypass any controls you may think you have in place to control access to web sites.
- Exploited internal machines can be used to:
- Join digital currency bot networks. These may be compromised machines that have been instructed (by C&C) to mine digital currency or they could be machines set up by staff members to mine digital currency. Regardless of the motivation, company resources are being stolen and the risk of malware propagation is heightened.
- Exfiltrate sensitive data from your network. Whether by innocent or intentional staff or bad actors, unrestricted outbound access makes it simply too easy for them.
- Allow compromised hosts to become part of a spam sender network. Thus, risking getting the corporation blocked by the various blocking lists.
This is only a short list of reasons why wide open outbound access to the Internet is poor network security practice. Part 2 of this article will follow at a future date.