Use egress filtering to mitigate attacks and information leaks coming from your network.

You’re probably familiar with the concept of firewalling as it applies to blocking traffic coming into your network. Have you considered the benefits of filtering traffic that leaves your network? For instance, what would happen if someone compromised a host on your network and used it as a platform to attack other networks? What if a worm somehow made it onto your network and tried to infect hosts across the Internet? At the very least, you would probably receive some angry phone calls and emails. Luckily, filtering your outbound traffic—otherwise known as egress filtering—can help to contain such malicious behavior. Egress filtering can not only protect others from attacks originating from your network, but can also be used to enforce network usage policies and make sure information doesn’t leak out of your network onto the wider Internet. In many situations, egress filtering is just as important as filtering inbound traffic.

The general guideline when crafting egress-filtering rules is the same as when constructing any inbound-filtering rule—devices should only be allowed to do what they were meant to do. That is, a mail server should only be allowed to serve and relay mail, a web server should only be allowed to serve web content, a DNS server should only service DNS requests, and so on. By ensuring that this policy is implemented, you can better contain ...