Ingress & Egress Filtering

Ingress Filtering

Description

Ingress filtering is the practice of monitoring, controlling and restricting traffic entering a network with the objective of ensuring that only legitimate traffic is allowed to enter and that unauthorised or malicious traffic is prevented from doing so.

Ingress filtering is primarily achieved through the use of predefined security rules (i.e. packet filtering) and policies implemented on the perimeter firewall, to ensure that inbound traffic is from the network from which it claims to originate from. Network administrators are advised to ensure that appropriate measures are taken to prevent unauthorised access to the internet access router, as it is located outside the perimeter firewall, and if Simple Network Management Protocol (SNMP) enabled, that appropriate measures are implemented to prevent it from being exploited.

Ingress filtering is a simple and effective method to limit the impact of a Denial of Service (DoS) attack, by denying traffic with a forged IP source address (IP spoofing) access to the network, and help ensure that traffic is traceable to its correct network.

Internet Access Router & Perimeter Firewall Rules

The Ingress filtering configuration of a network will depend upon the requirements of the organisation, however a number of filtering options implemented in the internet access router and rules in relation to the perimeter firewall have become best practice.

Internet Access Router - Filtering options

Internet Access Router - Inbound Data Traffic to be Filtered & Blocked
The bogons list - This list include the entire class of private and reserved IP addresses.
Inbound data traffic sourced from the networks own range of IP addresses.

Perimeter Firewall - Rules

Perimeter Firewall Rules - General Best Practices
In relation to security and access control, a default deny strategy for firewall rules is regarded as the best practice.
Firewall administrators are advised to configure rules to permit the minimum inbound traffic for the network.
Firewall rulesets that are short are easier to manager.
Firewall rules should be reviewed on a periodic basis to ensure they are compliant with the minimum requirements of the current network environment.

Egress Filtering

Description

Egress filtering is the practice of monitoring, controlling and restricting traffic leaving a network with the objective of ensuring that only legitimate traffic is allowed to leave and that unauthorised or malicious traffic is prevented from doing so.

Egress filtering is primarily achieved through the use of predefined security rules and policies implemented on the perimeter firewall, to block outbound traffic that uses protocols and destination ports that are unnecessary or subject to abuse. Network administrators are advised to ensure that appropriate measures are taken to prevent unauthorised access to the internet access router, as it is located outside the perimeter firewall, and if SNMP enabled, that apprioate measues are implemented to prevent it from being exploited.

While Egress filtering is not primarily focused on protecting one's own network, it does serve to protect the networks of other organisations, by preventing the spread of malware or traffic with a forged IP source address (IP spoofing) from leaving the network that has been compromised, either through the deliberate malicious activity of an individual user or the malicious activity caused by infections, botnets and other malware within the network.

Services & Ports - Recommended to be blocked

Depending upon the requirements of an organisation, if the following services are not required, it is recommend that their default ports be blocked and that outbound traffic for these services be prevented from leaving the network.

Service TCP Port UDP Port
MS RPC 135 135
NetBIOS 137-139 137-139
SMB 445
SNMP 161-162
Syslog 514
TFTP 69
IRC 6660-6669

Detail information as to why it is recommended that these services and ports be blocked can be found in the links contained within additional information (below).

Services & Ports - Recommendation on restriction of traffic

Depending upon the requirements of an organisation, regarding the following services, it is recommend that outbound traffic for these services and their default ports, be restricted to known hosts and to communicate over certain ports.

Service TCP Port UDP Port
DNS 53 53
FTP 21
HTTP 80
HTTPS 443
NTP 123
SMTP 25

Detail information as to why it is recommended that outbound traffic for these services and ports be restricted to known hosts and communicated over certain ports can be found in the links contained within additional information (below).

Internet Control Message Protocol (ICMP)

The Internet Control Message Protocol (ICMP), is primarily used by system administrators for diagnostics and troubleshooting, however it can be exploited for:

ICMP Reconnaissance - ICMP can be used to perform a reconnaissance against a network.
Ping Sweep - A ping sweep consist of ICMP echo request messages sent to multiple hosts, this is done to determine which machines are alive and which ones are not.
Ping flood - An attacker can use ICMP to launch a Denial of Service (DoS) attack against a targeted system. The attacker sends ICMP requests in a rapid succession without waiting for the targeted system to respond. The objective of Ping flood is to consume both incoming and outgoing bandwidth as well as the CPU resources in order to degrade the system's performance.
ICMP tunnelling - ICMP can be used to establish a covert communication channel between remote systems. All communications are sent via ICMP requests and replies. ICMP tunnelling can be used to bypass firewall rules.
Forged ICMP redirects - ICMP redirect is a feature which allows a router to inform a host of a more efficient route to a destination and that the host should adjust its routing table accordingly. In a forged ICMP redirect attack, a ICMP redirect message is sent to the victims host that contains the IP address of the attacker's system, thereafter traffic from the victims host will be fraudulently redirected to the system which belongs to the attacker. This allows an attacker to compromise network traffic via a man-in-the-middle-attack.

There are a number of specific ICMP type & codes that may need to be monitored or blocked.

ICMP Type Code
ICMP Echo-Replies Type 0 Code 0
ICMP Host Unreachable Type 3 Code 1
ICMP Time Exceeded in Transit Type 11 Code 0

Additional Information

Internet Engineering Task Force (IETF) - RFC2827 - Network Ingress Filtering
Internet Engineering Task Force (IETF) - BCP38 - IP Source Address Spoofing
Internet Engineering Task Force (IETF) - BCP84 - Ingress Filtering for Multihomed Networks
Internet Engineering Task Force (IETF) - RFC3704 - Ingress Filtering for Multihomed Networks
SANS Institute - Egress Filtering FAQ
SANS Institute - Performing Egress Filtering
pfSense - Ingress & Egress Filtering
CISCO - Network Policy Enforcement
Carnegie Mellon University - Best Practices and Considerations in Egress Filtering
Carnegie Mellon University - Best Practices for Network Border Protection
Internet Society - Addressing the Challenge of IP Spoofing
Cybersecurity & Infrastructure Security Agency (CISA-US) - UDP-Based Amplification Attacks
Sophos - DoS & Spoof Prevention.