| > Why are we not all using some sort of outbound firewall for our apps? Is there something fundamental (other than the administration of it) that stops it being the standard, or even possible? Black hole routing is often used in some more regulated industries (finance): * https://en.wikipedia.org/wiki/Black_hole_(networking) There's overhead in setting up proxies and telling all software to use them (browsers can be somewhat automated with proxy auto-config (PAC) files). You could of course just use this technique on your server infrastructure. But it's a 'non-standard' configuration in a world where everything assumes universal connectivity to everything else. One interesting idea I've seen mentioned it running a firewall on the system itself on a per-UID basis: * https://www.cyberciti.biz/tips/block-outgoing-network-access... So if your have a "www-data" UID that runs the web server, you set up iptables to allow it to answer incoming connections and produce replies, but not generate new connections. > A web server mostly accepts connections but usually only needs to initiate very few connections itself. Therefore it makes sense to limit the possible outgoing connections to what is actually needed. This makes it much more difficult for an attacker to do harm once he has exploited some web application. * https://wiki.debian.org/Apache/Hardening#Restrict_outgoing_c... So if you are compromised with attack code, one of the first things it tends to do is fetch some more advanced code to start rummaging through your system(s): that fetch is potentially blocked because it's a new connection to the malware hosting server (or the C&C server). |