291:
103:
Egress filtering may require policy changes and administrative work whenever a new application requires external network access. For this reason, egress filtering is an uncommon feature on consumer and very small business networks. PCI DSS requires outbound filtering to be in place on any server in
95:
at the boundary between the internal corporate network and external networks (such as the
Internet) is used to perform egress checks against packets leaving the internal network, verifying that the source
180:
27:
is the practice of monitoring and potentially restricting the flow of information outbound from one network to another. Typically, it is information from a private
332:
187:
211:
351:
146:
Chapter 23 in Hutt, Bosworth, and Hoytt (1995) "Computer
Security Handbook, Third Edition", Wiley, section 23.6(b), pp 23-12, et seq.
325:
123:
356:
266:
276:
156:
318:
113:
56:
In a corporate network, typical recommendations are that all traffic except that emerging from a select set of
53:
Egress filtering helps ensure that unauthorized or malicious traffic never leaves the internal network.
43:
20:
50:. Packets that do not meet security policies are not allowed to leave – they are denied "egress".
69:
60:
would be denied egress. Restrictions can further be made such that only select protocols such as
57:
39:
271:
118:
77:
218:
298:
290:
302:
345:
104:
the cardholder's environment. This is described in PCI-DSS v3.0, requirement 1.3.3.
81:
73:
100:
in all outbound packets is within the range of allocated internal address blocks.
38:
TCP/IP packets that are being sent out of the internal network are examined via a
242:
92:
47:
97:
88:
32:
181:"Holistic View of Securing IP-based Industrial Control System Networks"
28:
87:
Corporate networks also typically have a limited number of internal
65:
61:
76:
would then need to be configured either manually or via
306:
16:
Monitoring and/or restricting outbound network traffic
247:United States Computer Emergency Readiness Team
326:
8:
157:"Malware Threats and Mitigation Strategies"
333:
319:
135:
80:to use one of the allowed servers as a
186:. Ics-cert.us-cert.gov. Archived from
7:
287:
285:
14:
243:"Controlling Outbound DNS Access"
289:
124:Web Proxy Autodiscovery Protocol
249:. U.S. CERT. 29 September 2016.
1:
305:. You can help Knowledge by
373:
284:
352:Computer network security
217:. Nsa.gov. Archived from
272:Pcisecuritystandards.org
267:Pcisecuritystandards.org
144:Security on the Internet
114:Content-control software
31:computer network to the
212:"Mitigation Monday # 2"
142:Robert Gezelter (1995)
357:Computer network stubs
35:that is controlled.
299:computer networking
21:computer networking
72:are allowed. User
314:
313:
119:Ingress filtering
78:proxy auto-config
364:
335:
328:
321:
293:
286:
251:
250:
239:
233:
232:
230:
229:
223:
216:
208:
202:
201:
199:
198:
192:
185:
177:
171:
170:
168:
167:
161:
153:
147:
140:
25:egress filtering
372:
371:
367:
366:
365:
363:
362:
361:
342:
341:
340:
339:
282:
260:
255:
254:
241:
240:
236:
227:
225:
221:
214:
210:
209:
205:
196:
194:
190:
183:
179:
178:
174:
165:
163:
159:
155:
154:
150:
141:
137:
132:
110:
17:
12:
11:
5:
370:
368:
360:
359:
354:
344:
343:
338:
337:
330:
323:
315:
312:
311:
294:
280:
279:
274:
269:
264:
259:
258:External links
256:
253:
252:
234:
203:
172:
148:
134:
133:
131:
128:
127:
126:
121:
116:
109:
106:
89:address blocks
15:
13:
10:
9:
6:
4:
3:
2:
369:
358:
355:
353:
350:
349:
347:
336:
331:
329:
324:
322:
317:
316:
310:
308:
304:
301:article is a
300:
295:
292:
288:
283:
278:
275:
273:
270:
268:
265:
262:
261:
257:
248:
244:
238:
235:
224:on 2015-06-19
220:
213:
207:
204:
193:on 2014-01-23
189:
182:
176:
173:
162:. Us-cert.gov
158:
152:
149:
145:
139:
136:
129:
125:
122:
120:
117:
115:
112:
111:
107:
105:
101:
99:
94:
90:
85:
83:
79:
75:
71:
67:
63:
59:
54:
51:
49:
46:, or similar
45:
41:
36:
34:
30:
26:
22:
307:expanding it
296:
281:
246:
237:
226:. Retrieved
219:the original
206:
195:. Retrieved
188:the original
175:
164:. Retrieved
151:
143:
138:
102:
86:
74:workstations
55:
52:
37:
24:
18:
93:edge device
91:in use. An
48:edge device
346:Categories
228:2015-06-20
197:2015-06-20
166:2015-06-20
130:References
98:IP address
277:Sans.org
263:RFC 3013
108:See also
44:firewall
33:Internet
58:servers
68:, and
40:router
29:TCP/IP
297:This
222:(PDF)
215:(PDF)
191:(PDF)
184:(PDF)
160:(PDF)
82:proxy
66:email
303:stub
62:HTTP
70:DNS
19:In
348::
245:.
84:.
64:,
42:,
23:,
334:e
327:t
320:v
309:.
231:.
200:.
169:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.