Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

IS3220: Unit 5 Ingress and Egress Filtering Ingress Filtering Ingress

advertisement 
IS3220: Unit 5 Ingress and Egress Filtering
Ingress Filtering
Ingress (inbound) traffic enters a network interface from outside the network. Incoming traffic usually
originates from the Internet, remote clients, mobile platforms, and distributed networks. Ingress traffic can
come from unknown sources, which is why strict filtering policies restrict external access to sensitive
mission-critical servers and services.
Egress Filtering
Egress (outbound) traffic exits a network interface for traffic originating inside the network. Outbound
traffic usually comes from trusted sources, but even those sources can be exploited to make calls to
remote servers. Trusted sources can also unwittingly pass unsafe payloads, so outbound traffic may be
subject to separate filtering rules for known problems (that is network worms and Trojan attachments).
Isolation
Isolation refers to the total separation of systems and networks. Large organizations consist of multiple
departments that require different levels of access across the network. By firewalling departments into
compartmentalized subnets, administrators can selectively restrict access with granular user and group
access controls. Isolation contains and confines potential security incidents on the network.
Malicious Traffic
Egress filtering prevents malicious traffic from exiting the network to contain the spread of worms and
distributed attacks. Sometimes trusted systems are compromised by a remote attacker that connects to
remote servers from your network. Since inbound traffic can come from unknown sources, it’s always
scrutinized for malicious behavior.
Prevention of Information Leakage
Noisy protocols can sometimes leak private network information beyond protective network measures.
Windows uses fallback protocol queries that can leak information and appear malicious to remote
systems. Certain protocols; for example, Microsoft remote procedure call (MS RPC), network basic
input/output system (NetBIOS), and server message block (SMB) should remain within network bounds.
Confinement of Legitimate Services
Some network services broadcast information to other network endpoints, such as syslog, Simple
Network Management Protocol (SNMP), Simple Mail Transfer Protocol (SMTP), and Internet Relay Chat
(IRC). Even Internet Control Message Protocol (ICMP) should be considered for restriction to the internal
network or between select networks. Administrators should restrict the ability for unnecessary protocols
that leave the network.
© ITT Educational Services
Page 1
IS3220: Unit 5 Ingress and Egress Filtering
Domain Compartmentalization
Separating ingress and egress traffic helps establish compartmentalized network domains. What comes
in is treated differently than what goes out. Sensitive systems and services should be shielded from
unauthorized use by external parties, and trusted internal users should not pass malicious traffic.
© ITT Educational Services
Page 2
Related documents
Networking Qualifying Exam Question 1 Georgia Tech April 4, 2008
Networking Qualifying Exam Question 1 Georgia Tech April 4, 2008
16.810 IAP 2007 Requirements and Interface Document Engineering Design and Rapid Prototyping
16.810 IAP 2007 Requirements and Interface Document Engineering Design and Rapid Prototyping
Deriving Traffic Demands for Operational IP Networks: Methodology and Experience
Deriving Traffic Demands for Operational IP Networks: Methodology and Experience
Censorship (1S)
Censorship (1S)
BILL ANALYSIS
BILL ANALYSIS
Bed Alarm System Detecting Ingress and Egress
Bed Alarm System Detecting Ingress and Egress
presentation source
presentation source
Safe Ingress and Egress to the Workplace
Safe Ingress and Egress to the Workplace
Computer Vision
Computer Vision
Internet Filtering Policy Parent Options
Internet Filtering Policy Parent Options
數位影像處理(全程英文教學)
數位影像處理(全程英文教學)
Syllabus - Computer Science
Syllabus - Computer Science
Download
advertisement