Inbound firewalling

Most consumer and SME routers contain rudimentary inbound firewalling to prevent unauthorised connections to your network. This helps prevent bad actors like hackers accessing your computers. For simple networks such as homes, inbound firewalling might be adequate to block the majority of relevant threat.

Outbound firewalling

However, simple home and SME devices typically have no capability to block outbound connections from your network with any degree of sophistication. In such cases, all outbound connections will be permitted. However, inbound connections are not the only source of risk to your network, as unmanaged outbound connections also present a number of problems:

  • Privacy - Sadly, many devices 'spy' on your network and usage. Devices like Smart TVs, media streamers, cameras and printers will all connect to remote destinations for purposes that are best unknown and at worst sinister.
  • Risk - Malware, ransomware and viruses will all depend upon unrestricted outbound access from your network as they often depend upon obscure ports and / or uncommon UDP connectivity. Best practice dictates devices should only have the Internet access required.
  • Control - You cannot easily manage and control internet access for devices without outbound firewalling.  You will not be able to assert which devices can connect to which locations and when, nor control essential network services such as DNS and Web Proxying.
  • Visibility - Without the logging provided by an outbound firewall you will not see how devices on your network attempt to use the internet. You will miss opportunity to identify suspicious and undesirable patterns of activity.

Practical examples of outbound risks

Over the years I've seen many examples of undesirable outbound traffic from devices attached to managed networks. For example:

  • Printers having firmware that 'calls home' across the Internet despite having privacy settings enabled.
  • IP Cameras and DVRs are often provided with firmware that is never updated and with default and commonly known usernames and passwords. Such devices should be denied Internet connectivity unless risks are understood and accepted.
  • Smart TVs and media devices will contact unknown and vendor-specific destinations, even when not in use.
  • Enforcement of access policies for organisations that have policies that prevent certain types of Internet access that cannot be enforced. This could lead to inappropriate Internet access that you cannot detect.
  • Viruses, malware and ransomware are able to contact command and control networks to activate and encrypt your data.

All of the above behaviors are discoverable and controllable using outbound firewalling.

What are the options for Outbound firewalling?

For larger SMEs and Enterprises a commercial firewall offering should be considered such as Cisco, Fortinet, Juniper, SonicWall, CheckPoint or Palo Alto; there are many other vendors in this space and a competitive value-added reseller channel.

Expect to make a considerable capital investment along with a commitment to ongoing operational revenue for licensing and support. If you cannot afford to make such an investment, consider scaling-up one of the options below for a low-cost alternative.

For Smaller SMEs, SOHO and Homelab users, if a commercial option is not a possibility then consider a firewall built from an open-source software project such as pfSense, OPNsense or IPFire. These are mature, well respected security platforms that provide effective outbound firewalling amongst a rich collection of security functionality. Many others exist too.

You will need to source hardware on which to build your firewall. Vendor Netgate produces a very reasonably priced pfSense appliance available through Amica Networks in the UK for less than £150 - I consider this a bargain for SOHO and smaller SME networks.

Alternatively, you could reuse existing redundant desktop PC hardware, or you could purchase used hardware from eBay. At the time of writing, a lower spec refurbished mini desktop computer capable of running pfSense is currently £80, and probably still offer better performance than the Netgate appliance. You could purchase more powerful (or new) hardware for a more powerful solution. You may need to purchase additional USB network interfaces unless you use VLAN-capable switches.

Finally, you could build a virtual firewall on your virtual infrastructure, if you have such infrastructure and the skills to do so.

Configuring outbound security

When built, apply outbound firewall rules to control how traffic exits your network. I recommend the following methodology:

  • Prevent Internet access for internal devices that do not require it.
  • Prevent connection to undesirable destinations and geographies.
  • Secure access to key network services, for example, by ensuring only your Protective DNS server can perform external DNS lookups to prevent DNS hijack.
  • Permit common connections for well know traffic that you expect to occur, such as web browsing.
  • Selectively permit uncommon connections on unusual ports or protocols for just the devices that require them, such as media and gaming devices, VPNs, some cloud applications.
  • Deny (and log) all other connectivity that you have not explicitly approved. Inspect logs regularly.

Benefit summary

This brief article has explained why outbound firewall security is so important with some practical examples. I've described some low-cost approaches to providing outbound firewall services that are within the reach of most homes and businesses, and I've also discussed a methodology to inform the creation of an effective set of rules.

How I can help

I'd be delighted to help you with any of the above solutions, please contact me for assistance.