IntermediateNetwork Security

Implement and monitor egress filtering — outbound traffic controls detect exfiltration

Most network security focuses on blocking inbound connections. Egress filtering — controlling and monitoring outbound connections — is equally important and frequently neglected. The Codecov bash uploader attack sent CI/CD secrets to an attacker-controlled server via HTTP. The CCleaner backdoor sent system data outbound via standard ports. Without egress filtering, any process on any machine can establish outbound connections to any address. Implement explicit allow-listing for outbound traffic from sensitive systems, log all egress connections, and alert on connections to newly registered domains or unexpected geographic regions.

Tags

egress filteringoutbound trafficdata exfiltrationfirewall policynetwork monitoring

More in Network Security

All guides
intermediatefeatured

Segment OT and ICS networks completely from corporate IT

The 2015 Ukraine power grid attack succeeded because the attackers could reach SCADA industrial control systems from the corporate network they had infiltrated via phishing emails. The Target breach succeeded because POS systems were on the same network segment as a compromised HVAC vendor's access point. Operational technology (OT) and industrial control systems (ICS) must be completely isolated from corporate IT networks with no routable path between them. If monitoring requires connectivity, use unidirectional data diodes. Any device that can read a corporate email must never be able to reach a centrifuge controller, power substation relay, or manufacturing system.

See: Ukraine Power Grid AttackNetwork Security
advanced

Adopt zero-trust architecture: verify every request regardless of network origin

The SolarWinds attack compromised the trust that internal network location implies authorisation. Once inside a network via a malicious software update, the attackers moved freely because internal systems implicitly trusted each other. Zero-trust architecture removes that assumption: every request, regardless of whether it originates from inside or outside the network perimeter, must be authenticated, authorised, and continuously validated. Implement micro-segmentation, require MFA for all internal application access, enforce device health checks before granting access, and log all east-west traffic.

See: SolarWinds Supply ChainNetwork Security
beginner

Place IoT and smart devices on isolated VLANs with no access to production systems

An internet-connected fish tank thermometer at a casino served as the entry point for attackers who reached the high-roller customer database. The thermometer was on the corporate network with a routable path to internal systems. Every IoT device — smart TVs, HVAC controllers, IP cameras, building management systems, even fish tank sensors — must be on a dedicated VLAN that has no access to any system containing sensitive data. The VLAN should permit only the specific outbound internet traffic the device requires for its function. Treat every IoT device as untrusted by default.

See: Casino Fish Tank IoT HackNetwork Security