Ingress/Egress Filtering

Traffic flows across a network in two directions - inbound and outbound. Proper filtering of this traffic ensures that a network is functioning as intended in a secure and efficient manner.

         Inbound, or Ingress filtering, protects a network from invalid traffic originating from outside the network by blocking this traffic when it enters the network.

         Outbound, or Egress filtering, ensures that your network does not transmit invalid traffic to remote networks.

Proper filtering can reduce the ability for a remote attacker to easily use spoofed packets and Man-in-the-Middle attacks across the network edge by disallowing traffic that meets certain specifications.

As an example, an attacker will often attempt to spoof a trusted host on the target network in order to abuse a trust relationship between two machines on your network. With proper Ingress filtering, the remote attacker's packets will never reach their intended target as the spoofed network address should never attempt to connect to the target machine from an outside interface.

Alternatively, the well-known and abused "un-routable" network spaces reserved for private use can be used to circumvent certain firewall implementations for the purpose of information retrieval and network mapping, and as a precaution, should be filtered on all edge routers.

These abused address spaces are generally called Bogons, and are defined as Martian blocks [Private (reserved for non-Internet usage) and reserved address spaces (multicast, experimental, future use) RFCs 1918, 3330] and blocks that are not currently assigned to a designated registry organization. Bogons should be filtered on both the inbound and outbound directions on all network interfaces that are open to the Internet. In reality, these Bogons should be filtered in all network devices regardless of their location or function, as such filtering when applied on a widespread scale will reduce the total amount of abusive Internet traffic.

It is important to note that the Bogon list is dynamic, and regularly changes as new block spaces are assigned and released, so regular updates will be required for comprehensive coverage. Publicly available Bogon lists are by no means a complete filtering solution, but are a great place to begin when identifying troublesome address spaces during the creation and deployment of any filtering solution. More information on the Bogon list can be found at the Team Cymru Bogon Reference at http://www.team-cymru.org/Services/Bogons.