Egress Filtering and Firewall Testing with Metasploit MetaModules

August 07, 2013

In today's Whiteboard Wednesday, Chris Kirsch will talk about egress filtering and firewall testing with Metasploit's new MetaModules. The new MetaModules allow you to test individual security control quickly and easily making firewall testing and egress filtering simple.

Egress filtering and firewall testing allows you to control and restrict certain information being sent outbound from one network to another. This lowers your user-based risk and helps ensure that private data is not leaving your network. Download the latest version of Metasploit to take care of the new MetaModules for security controls testing!

Video Transcript

Hello, and welcome to this week's Whiteboard Wednesday. My name is Chris Kirsch. I'm the Product Marketing Manager, here at Rapid7, for Metasploit. Today, I'd like to talk about firewall egress filtering, how you can set it up, and why it's important.

Show more Show less

A lot of companies have firewalls in place that filter traffic coming in, but they don't actually filter traffic going out of the network. That's actually pretty important to stop some security issues. For example, if you have malware on your network, then that malware will try to contact command-and-control servers on the Internet. It might use IP spoofing for some attacks and so on. But if you have a firewall egress filter in place, that stops it from contacting the C&C server. Then, for example, it will have a harder time getting data out of the organization and uploading it to an external server or getting new commands.

There are essentially two ways you can set up firewall egress filtering. You can do that with your existing firewall normally. It's just the setup. It doesn't actually cost you any money to deploy this.

The first one is the more, let's say, security conscious or the higher security premise to start out with, which is a deny all rule on the firewall egress. Of course, if you deny everything, nobody can access the Internet. So you need to set up some rules of what people should be allowed to access the Internet on. Here, we recommend that you take a lot of care before you set this up because you should be talking to all of the different application and business owners to figure out what are the applications that are reaching out to the Internet, what ports are they using, and what's really required.

If you just monitor the traffic and see what's going out, then you'll also see some of the unnecessary traffic. So you really need to take a closer look and be prepared before you start setting this up, because otherwise it could start disrupting business practices.

Now the alternative is that you set up an allow all rule and then block certain ports specifically. A very good document to get started with is the Firewall Egress FAQ from SANS, which gives you some guidelines on the minimum traffic you should filter on your network for the egress. Some of these, for example, are RPC, NetBIOS over IP, and SMB over IP, which typically don't need to go out of the network and can cause some security issues. There are also a bunch of others, but I highly recommend that you read that paper.

If you want to figure out whether you're actually doing firewall egress testing on your network or not, there are essentially two ways. Either you can go to your firewall, have a look at the settings, but these might be kind of complex and difficult to figure out. Also, you only see what the firewall tells you what's it's filtering, but you don't actually see what's filtered and if there's maybe another way out of the network that you're not aware of. So here what you can do is you can actually use the Firewall Egress Testing MetaModule in Metasploit Pro. There's a free trial available on that you can download. Hit one button. It will test your firewall egress and tell you what ports are opened and closed.

All right. That's it for this week. Thank you for stopping by, and I'll see you next week.