Network security is a two-way street. Whenever threats try to get into a computer network, they must have come out of some other network or system. Responsible network operators need to make sure they aren’t part of the problem.
If everyone just tries to stop threats from coming in, there isn’t much to stop them from being sent out. More and more attacks happen. Administrators try to keep them out, but it’s an arms race that people have little hope of winning. Or perhaps it should be called a Red Queen’s race: it takes all the running you can do just to stay in the same place.
There is a way to shift the balance, and outbound security is the key. If enough networks take measures to keep themselves from propagating threats, the attacks will slow down and the defenders have a better chance. When companies and site owners do this, they improve their own security, as well.
Malware epidemics
True computer viruses are rare today, but the term “infection” is still an apt analogy. Worms and phishing campaigns are like an epidemic spreading through the Internet. They need to find hosts where they can incubate and reproduce. Imagine a flu epidemic where no one stays home when they’re sick and no one covers their coughs. The disease would spread like crazy, even if people did their best to get immunizations.
Looking at the analogy optimistically, the treatment is obvious: if most people take reasonable precautions to keep themselves from spreading the flu, it won’t spread as quickly. Fewer people will get sick, which will further slow its spread.
In epidemiology, the reproduction number is an important variable. It’s defined as the average number of people that a person with a disease will infect. If it’s less than 1, then the disease will tend to fade out of the population. If it’s greater than 1, it will increase until it saturates the population. Another factor is the proportion of the population that is immune. The higher it is, the more effective “herd immunity” is at keeping diseases from spreading.
Both of these ideas contribute to stopping — or failing to stop — the spread of malware. Inbound security measures to prevent infection are crucial. They aren’t 100% effective, though, so outbound controls are also important. The first affects the rate of immunity, the second the reproduction number.
Reducing the problem
But what about the many networks that will never practice outbound security? Some of them are deliberately malicious. Others are run by people who have no notion of security practices, so they’re constant hotbeds of infection.
No campaign for better security will affect their behavior, so isn’t the effort hopeless?
No.
Numbers make a difference, even when they can’t be brought to zero. When there are fewer sources of infection, it’s easier to identify and block them. The number of legitimate sites that periodically become unsafe is a huge problem for blacklist maintainers. The persistently harmful IP addresses are easier to identify and block since they don’t change as fast.
Besides, people are more likely to visit legitimate sites than unfamiliar ones. A popular site that gets infected is like a Typhoid Mary. When legitimate sites stay safe, that’s a significant reduction in the problem.
The sheer quantity is important in DDoS attacks. Any efforts that significantly reduce the ability to send malicious packets over the Internet will reduce the maximum effectiveness of these attacks.
Actions to take
The most basic precaution to take in outbound security is placing filters on outgoing emails. They provide a dual benefit. First, they prevent malware from sending spam out, which can help sites avoid the possibility of being blacklisted. Second, filter reports provide a warning that malware is running in the network. Administrators can hunt down and remove the source of spam.
Only approved mail servers should be able to use port 25 outbound; anyone else using it is probably sending spam. The firewall should not only prevent its use but flag the attempt. Most likely, a machine has been infected if that happens.
Firewalls are another important element of security. Most firewalls support both inbound and outbound rules, but system operators usually pay more attention to the inbound ones. Outbound rules protect the network running the firewall and preventing outside harm. They can prevent connections to command and control (C&C) servers, which keeps an initial infection from downloading more malware.
Individual computers should have their own outbound firewalls to discourage the spread of malware within the network. Blocking unused ports may keep an infected desktop machine from launching attacks on the rest of the network.
In some cases, a machine should be allowed to use a port within the network, but not to use it for sending packets over the Internet. For example, if a network uses its own DNS, then most of the machines on the network should be allowed TCP and UDP port 53 only internally, not over the Internet. This helps to prevent participation in DNS flooding attacks.
Outbound security includes not only control over what gets sent over the Internet but machine-to-machine security within the local network. Malware takes advantage of weak security inside a network to spread from an edge device to the servers. Each device needs to have its own outbound restrictions.
Being a good Internet citizen
Network security can’t just be a matter of keeping threats from getting into the local network. Administrators also have to make sure their network isn’t a source of threats to others. That’s part of being a good Internet citizen.
Paying attention to outbound threats isn’t just impractical idealism. Undetected, unchecked malware running on a network is most likely stealing information or processing power. Outbound security measures will detect unauthorized email, connections to C&C servers, and other activities that endanger the network.
No one likes being blacklisted. Stopping outbound threats from getting through keeps a site’s Internet reputation high.
If legitimate sites start paying more attention to what goes out from their networks, the bad actors will be left to their own devices (literally) and will be easier to stop. Malware epidemics will be more controllable, and their activities will be less profitable. Everyone who contributes to the effort of stopping outbound threats benefits from it.
