Why block outgoing network traffic with a firewall?

  • In terms of a home network, is there any reason to set up a router firewall so that all outgoing ports are blocked, and then open specific ports for things such as HTTP, HTTPS, etc. Given that every computer on the network is trusted, surely the amount of extra security provided by blocking outgoing ports would be pretty much negligible?

    Could help prevent your computer from becoming part of a botnet if your computer becomes compromised somehow.

    In my home network, I neglected to block outgoing ports. I quickly wisened up when an exploit in the mail server was used to upload a boostrap piece of malware, which was just a script that made an outgoing connection to download the rest of the malware. The attack could have been mitigated had the bootstrap piece not been able to phone home.

    I'd recommend to ALSO block outgoing http, https, ssh, etc: only open what you need AT A GIVEN TIME (on critical servers). For example: A server doesn't need to be able to reach the web (or its own updates) apart from the time of the day where it is updating... So if attacked at another period, having outgoing http/https/ssh/whatever blocked will help reducing the attacker's ability to download a payload or use your network in some way.

    "Given that every computer on the network is trusted" -- This is a bad assumption.

  • Rory McCune

    Rory McCune Correct answer

    8 years ago

    Blocking outbound traffic is usually of benefit in limiting what an attacker can do once they've compromised a system on your network.

    So for example if they've managed to get malware onto a system (via an infected e-mail or browser page), the malware might try to "call home" to a command and control system on the Internet to get additional code downloaded or to accept tasks from a control system (e.g. sending spam)

    Blocking outbound traffic can help stop this from happening, so it's not so much stopping you getting infected as making it less bad when it's happened.

    Could be overkill for a home network tho' as there's a lot of programs which make connections outbound and you'd need to spend a bit of time setting up all the exceptions.

    Something similar happens on a windows PC's firewall. It is easier to manage. Whenever a new program that requests outbound connections to the internet is installed, an additional step must be made to allow outbound connections for the installed application (firefox, thunderbird, etc.). This is more manageable than central firewall blocking as a whole.

    @dadinck, but if the Admin account is compromised, would it not be possible for the attacker/virus/Trojan to change the Windows Firewall settings to allow the connection to the Command&Control?

    Wouldn't any attacker just contact their command and control network over port 80 or 443?

    @bhspencer, Yes, this exact thing happens. A specific case of this that I have heard about is where a program on an infected machine uses http GET's to ping a specific web address and waits to execute commands based on innocuous submissions to that page.

    @bhspencer thinking the same thing. If that's the case, then the whole exercise is pointless I think.

    In a typical Win10 environment, how likely is it that malware will be able to whitelist itself in the Windows Firewall, and then call home?

    Yes, it *is* pointless for that reason to limit egress from a network. Inside a network, limiting egress on individual machines can prevent rapid spread of some old worms - but it cannot keep malware from "calling home" and downloading payload code.

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM