Identifying and Controlling Both Incoming and Outgoing Traffic

It is not enough to protect internal network resources against external attacks.

Attackers may embed Trojan horses or set traps on the websites that are frequently visited by users to launch pass-by download or watering hole attacks. These attacks enable malware to enter the internal network through authorized traffic. After successful penetration, attackers usually further download malware, connect to C&C servers, and transmit data to external networks through convert channels. In addition, internal assets of an organization may be hijacked by attackers to attack other networks. Therefore, security personnel must pay attention to both internal and external security threats.

For example, you need to create a whitelist of authorized websites and applications to allow outgoing traffic to the whitelisted websites and applications only. To completely control a system, attackers must download malware to the internal network. Restricting users' online behaviors can greatly reduce the attack surface.

Strict traffic control in the inbound and outbound directions is a key measure to ensure network security. To achieve this goal, security personnel need to understand common attack means used by attackers and design and adjust service solutions accordingly. In a service solution, security policies are used to control incoming and outgoing traffic. For example, malware that penetrates the internal network usually establishes C&C connections and obtains data in an unauthorized manner through DNS covert channels. The most effective method for defending against such attacks is to set the destination address of DNS requests to the address of the DNS server built by an organization or trusted DNS server. Table 4-1 shows an example of Google Public DNS used by an enterprise. Allow all devices on the internal network to initiate DNS resolution requests to the Google Public DNS server. Generally, the UDP-based DNS service is used. Then, forbid the devices to access other DNS servers through UDP and TCP. Accordingly, you need to use a DHCP server to allocate the Google Public DNS server to clients.