Outbound Traffic Control

1 min read Web Security Fundamentals

Outbound Traffic Control

While inbound rules receive the most attention, controlling outbound traffic is equally important for comprehensive security. Compromised web servers often attempt to download additional malware, join botnets, or exfiltrate data. Properly configured outbound rules can detect and prevent these activities.

Start with essential outbound services that web servers legitimately need:

Allow TCP from web_server_ip to any port 80   # HTTP for updates
Allow TCP from web_server_ip to any port 443  # HTTPS for APIs
Allow UDP from web_server_ip to dns_server_ip port 53  # DNS
Allow TCP from web_server_ip to ntp_server_ip port 123  # Time sync

Block potentially dangerous outbound connections:

Deny TCP from web_server_ip to any port 25   # Prevent spam
Deny TCP from web_server_ip to any port 6667 # Block IRC (common botnet control)
Deny all from web_server_ip to rfc1918_addresses  # Block lateral movement

Implement logging for unusual outbound connections to detect compromise:

Log TCP from web_server_ip to any port not in (80,443,53,123)