Hacker News new | ask | show | jobs
by _jhqp 1653 days ago
"Network access" as in outgoing requests to public web.

e.g. you can't curl google.com

I've used this code in CTF competitions and Blue Team exercises where some machines behind a VPN don't have outgoing network access.

(Sometimes it's just simpler to organize this way, sometimes it's deliberate for security purposes.)
1 comments
SahAssar 1653 days ago
So restricted HTTP access, but wide open SSH? Do people commonly restrict only HTTP/HTTPS but leave other ports unrestricted?
link
thedougd 1653 days ago
This would be a common setup. They allow SSH ingress so that the server can be managed or provisioned with something like Ansible. However, they block all other unused ingress ports, as well as any egress that does not contribute to the function of the server. Also common would be a bastion or VPN to get to the network where SSH is accessible. A mistake is to have SSH accessible to the entire corporate network, which is all too common.
link
jve 1653 days ago
Yeah, well, not only HTTP*, but actually whitelisting whatever outgoing connection you may need. https://github.com/stripe/smokescreen

Suppose you configured your webserver to run with limited privileges so as if someone hacks it it has limited access. Suppose it still has access to DB and stuff. Well, filtering outgoing connections makes harder to exfiltrate the data OR hop to another hosts. And then you can monitor failed outgoing requests to be able to act/investigate when that happens.

link
stevekemp 1653 days ago
Yeah there are a bunch of tools like this - I'm using Aviatrix at the moment for a bunch of hosts:

* Incoming access is allowed to "stuff" when connected to the OpenVPN host.

* Outgoing access to services is very heavily restricted.

* Outgoing HTTP/HTTPS requires the site to be on an allow-list. By default all outgoing HTTP/HTTPS traffic is denied.

(We might add yum-repositories to the allowlist, or permit access to the various "Windows Updates" services, for example. But all other downloads from remote sites would be denied.)

link
SahAssar 1653 days ago
Couldn't an attacker exfiltrate over ssh or over an incoming HTTP connection instead of an outgoing? Or is this a defense-in-depth thing, not meant as a "hard stop"?
link
jve 1652 days ago
I see this as a defense in depth. It can buy you time until attacker figures out how to exfiltrate and you maybe notice via monitoring that something fishy is happening. It also prevents you participating in a DoS or other attacks.
link
pnutjam 1653 days ago
no wide open ssh, it's a machine that can talk to it that can also talk out to the wider internet. (A proxy).
link