Is outbound filtering useless
I regularly find myself in a discussion on firewalls and system security and for some time now I advise people not filter outbound traffic on desktops and most servers. I cannot believe how many people freak out when I say this, and most system administrators I have had this discussion with just think I am joking about this while I am in fact dead serious.
People usually start arguing with me about the fact that a system is much less secure if you just allow al outgoing traffic, and to some extend I do agree with this statement. I would also recommend filtering both inbound and outbound traffic on border servers like firewalls between you and the internet or between a management network and the everyday LAN or on servers that host highly confidential data.
The reason I take this stance on outbound filtering is because managing outbound traffic on desktops and to some extend servers is just a real pain in the ass, and can just plain break stuff. Not to mention the management overhead on the IT department as configuring outbound filtering correctly can be much more complex than filtering inbound traffic. And requires a great deal of knowledge on what software you run in your environment as well as the services that you provide to your end users.
Just think about the following for a few minutes, really I mean think about it. If an attacker is able to sent outbound traffic from one of your boxes to the outside world it means he or she already has access to the box and circumvented all the precautions you took to prevent that already. In short if a malicious user can sent traffic from your box to the internet you are owned already.
The only thing you gain from outbound filtering in this situation is trying to let an infected machine you cannot trust nor control anymore to behave nicely on your network. This in fact is pointless as an attacker can just hijack an existing open port or connection to do his or her dirty work. In the rare case all outgoing traffic is blocked and an attacker does not have the ability to hijack an existing open port I would ask myself the following question ‘why does this machine have a network cable attached anyway?’.
Some people would say that outbound filtering reduces the likelihood of malicious scripts sending out email from infected machines and other malicious stuff like gathering personal data but in all fairness what corporate environment does not let its users send email or use a normal internet browser to do their day to day work? There are always some open ports unless you want your users eating out of their nose all day long. And I still have to meet an employer who likes to take that stance, if you know one please let me know.
