Egress filtering is a network security technique which involves preventing unauthorized traffic from leaving a network. This approach is usually paired with a number of other techniques to provide more complete network security, and to create layers of security which will make a system more difficult to penetrate. Like other network security techniques, it can be customized for specific applications to meet the needs of a particular environment or organization; the goal is to provide security without turning a security system into a burden for the users.
Many laypeople are familiar with the idea of ingress filtering, which involves keeping unauthorized traffic out of a network. This type of filtering is used by many people every day, even if they aren't explicitly aware of it, and it is designed to protect people from attacks which originate from the outside. With egress filtering, damaging and sensitive materials are prevented from leaving the network, which increases the security of the system and prevents damage to systems which come into contact with the network.
Egress filtering can trap viruses, denial of service attacks, and other malicious events originating from infected computers within a network. They can also control the release of information to keep the system more secure, and to avoid providing hackers with information which could be used to compromise the system. Egress filtering may be utilized as well to restrict the type of information released by a network; for example, people might be able to send email, but not to upload files to an external server.
This type of filtering is two-staged. The first stage involves passive monitoring of the traffic in the network. The second stage involves determining what kind of traffic should be allowed through. When the system is established, a number of exceptions are created, with the goal of allowing specific traffic out of the network without any obstacles. Exceptions can also be established for temporary situations, in which case the person needing the exception will need to ask the programmer who handles network security to put the exception in place.
With a good egress filtering system, malicious and unauthorized material can be contained to a specific network, rather than being allowed to spread. This system can also be used to prevent inadvertent leaks of material, inappropriate releases of material, and illegal activity over the network. A college, for example, might use egress filtering to restrict file sharing with the goal of preventing distribution of illegally copied information and materials.
