Comment by jlgaddis

4 years ago

For several years now, I've been an advocate for either "uninstalling" the default route on (most) hosts and/or switching to a default deny policy for outbound traffic, just like we all did for inbound traffic a long time ago.

I'll readily admit that the amount of work required in order to do this is HUGE and, of course, it isn't gonna happen overnight. Every time we have another one of these massive vulnerabilities that affects damn near everything and everybody, though, I think we get just a little bit closer.

Once some large company makes the decision to do it, then actually does it, then (at some point down the road) shares publicly how it totally saved their ass when $thing happened, maybe some CISOs will start to take notice and (eventually) follow suit.

As with IPv6, I remain hopeful that we'll get there at some point in my lifetime! Unfortunately, though, I'm sure it'll take a lot more "bad shit" happening first.

6 comments

jlgaddis

Reply
bifrost  4 years ago

I'm assuming you're using a stateful packet filter when you're talking about this? Otherwise you'll break all kinds of stuff.

CISO's care about security but you'll find that most developers/users do not at all and its like pulling teeth to get anything done. It'd likely be better to get all developers basic security training and automated code vulnerability scanning tools.

  • gpm  4 years ago

    I've worked in an environment where all the developers did basic security training, and I've worked (well, interned) in an environment where prod had a default-deny firewall for outbound traffic.

    The latter was definitely a hell of a lot more trouble. The latter was also definitely a hell of a lot more secure - and not because I had tons of faith in the code.

    • bravetraveler  4 years ago

      I currently work in a place that does both, yet still find questionable things on a weekly basis!

      Exhausting, lol

AaronFriel  4 years ago

That's what I did at my last role, and it was made infinitely easier because I was the first engineer and it was greenfield development.

Our backend used a combination of network policies to only allow outbound TCP connections to a handful of forward proxies, each of which was one simple, easy to verify nginx server that forwarded to https://saas.service.example.com.

And on days when we learned of new supply chain vulnerabilities, we didn't have a security incident.

  • 123pie123  4 years ago

    I implemented this on a companies network in mid 2000's

    all browser traffic went through extremely locked down secured proxy

    all applications on the OS (bar browser) was routed to different set of proxies with only whitelisted IP addresses over VPNs/ leased lines/ MPLS

    any data that tried to get out from a PC not in the above whitelist was flagged and investigated