The concept of outbound Internet access really relates back to perimeter defenses. However, the protection of such access is so often neglected within the average organization that I felt it warranted its own section in this book. As I mentioned previously, outbound Internet access (when internal employees access the Internet) poses security issues that are often overlooked. There are many inherent dangers in allowing employees to access the Internet that should be taken into consideration when developing Internet security practices. Applying the Rules of Security to Outbound Internet AccessWhen allowing employees to access the Internet, some specific rules should be kept in mind. Giving someone Internet access is a powerful action with many potential consequences. By using the following rules, we better manage the security of our Internet users and protect our organization: Rule of the Three-Fold ProcessIt is important that any system accessing the Internet be kept up-to-date with the latest security patches. This is especially true for those browsing the Internet with a Web browser. Web browsers are usually full of great features and horrible vulnerabilities. Users that access the Internet must be using properly maintained systems and have had at least some basic Internet security training. As far as monitoring is concerned, logging outbound Internet access is normally not possible due to the tremendous number of logs that would be generated. It is a good idea to require some form of access authorization before users are allowed to explore the Internet. This way, it will be possible to log systems that attempt to access the Internet without first authenticating. Such logs can point out systems that have back door programs, worms, and other automated applications that attempt to open connections to the Internet without the knowledge or permission of the end-user. Rule of Least PrivilegeYes, the Rule of Least Privilege even applies to outbound Internet access. Organizations are highly discouraged from allowing all employees to access the Internet freely; such practices make it extremely difficult to enforce outbound access security. I have already discussed issues with attacks riding back on connections initiated from inside an organization and automated applications that establish outbound tunnels. Additionally, the Internet hosts many destructive tools, malicious scripts, viruses, and many sites that attempt to trick employees into giving away valuable information. Given the many dangers in allowing Internet access, the following controls are recommended:
Outbound Zoning (Proxies)If we look back to the sample zoning scenarios I provided earlier, we see that there are zoning scenarios designed to address outbound access. Such zones implement a relay system to carry out requests on the end-user's behalf. With Internet access, this usually involves the implementation of a proxy server. Proxy servers are a great way to protect internal systems that need to access external entities like the Internet. Proxies provide protection for the entire session and allow for content filtering, virus scanning, Java script blocking, authentication, access monitoring, and other useful features. Quite often, an organization will implement a packet filtering firewall to stand between the Internet and the internal networks, and it will also implement a basic proxy server that simply forwards requests to the Internet on behalf of the users. This type of solution provides optimal protection when accessing the Internet. |