In a recent article, I discussed the importance of filtering
out spoofed traffic from inbound Internet connections (“Prevent
IP spoofing with the Cisco IOS“). However, inbound spoofing isn’t the
only threat out there. In fact, it’s just as important to prevent outbound spoofing.
This time, let’s look at protecting your organization from
the other direction — preventing spoofed IP packets and other harmful traffic
from exiting your network and going to the Internet. You don’t want your
network to be a haven for malicious activities, right?
Hopefully, there’s no malicious activity originating from
your organization’s network. But that doesn’t mean it won’t happen. Here are
some common malicious activities that you want to prevent:
spoofed IP packets headed toward the Internet
- SMTP e-mail
sent from a PC directly to the Internet
and worm traffic originating from your company via e-mail or other ports
hacking of your Internet router
Prevent outbound IP address spoofing
As I mentioned in my previous article, there are certain IP
addresses that companies should avoid using for communications on the Internet.
Traffic that uses any of these IP addresses is very likely
fake and malicious. Not only do you want to prevent traffic with source IP
addresses in this range from coming from
the Internet, but it’s also important to prevent traffic with source IP
addresses in this range from going to
To do so, create an egress access control list (ACL) filter
on the router, and apply it to the Internet interface in the outbound direction.
Listing A offers an example.
This prevents any traffic from the specified IP address ranges
from exiting your organization’s network. (As I mentioned in the article about
inbound IP spoofing, another way to protect your network from IP address
spoofing is reverse
path forwarding (RPF) — or ip verify. For blocking outbound traffic, you would use the Fast Ethernet 0/0 interface of the router, rather than the serial interface.)
In addition to preventing packets with spoofed IP addresses
from exiting your corporate network, there are other steps you should take to
keep malicious users from taking advantage of your network.
Don’t allow SMTP e-mail to send directly from a PC to the Internet
You don’t want anyone to use your organization’s network to
send out spam. To prevent this, your firewall shouldn’t allow traffic to come
from your PCs and go directly to any port on the Internet.
In other words, control which type of traffic is traveling outbound
through your Internet connection. Assuming your company has an internal e-mail
server, all SMTP traffic going to the Internet should originate from that in-house
server — not from internal PCs.
You can accomplish this by using your firewall (or ACLs at
the minimum) to allow only certain destination ports going to the Internet. For
example, most companies only need to allow all PCs to go to port 80 and 443 on
Keep virus and worm traffic from originating from your company
In many ways, you can prevent virus and worm traffic by
controlling the ports used by client systems on the LAN to communicate to the
Internet. However, restricting ports only goes so far, and malicious users can
usually find a way around port restrictions.
To further prevent viruses and worms, consider using some
kind of unified threat management (UTM) appliance such as Cisco ASA or Fortinet. Classified as anti-X appliances, both of these options
block a number of security threats. For more information, check out Cisco’s “Deployment
Considerations: Comparing Converged and Dedicated Security Appliances”
Prevent the hacking of your Internet router
To secure your router, make sure you’ve configured
SSH on your Cisco router, set up an ACL to define the source IP address of
your management consoles, and run the Cisco’s Security
Device Manager (SDM) Security Audit feature to ensure you didn’t miss
plugging any of the common security holes.
Remember: While it’s important to protect your private
network from attackers on the Internet, it’s just as vital to prevent these
attackers from taking advantage of your network for their malicious ways. These
four methods go a long way toward doing just that.
What steps have you taken to prevent attackers from using
your network to launch attacks? Are you performing egress IP spoof filtering?
Do you have a unified threat management appliance that filters outbound traffic
for viruses and worms? Share your methods in this article’s discussion.
Miss a column?
Check out the Cisco Routers and Switches
Archive, and catch up on David Davis’ most recent columns.
Want to learn more
about router and switch management? Automatically
sign up for our free Cisco Routers and Switches newsletter, delivered each
David Davis has worked
in the IT industry for 12 years and holds several certifications, including
CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of
systems/network administrators for a privately owned retail company and
performs networking/systems consulting on a part-time basis.