It is often supposed that enabling all outgoing traffic is not risky. However, if a process is attacked by a worm or by a Trojan horse, it might open undesirable connections which can be misused for acquisition of sensitive information or for getting control over the server. Therefore, it is recommended to disable outgoing traffic at least for processes which are available from the Internet or which operate with data from untrustworthy sources such as from servers in the Internet. It is also recommended to narrow number of servers available to processes which perform update checks (i.e. allow these processes to use specific servers only).
Setting policy for outgoing traffic is an issue much more complicated than setting rules for incoming traffic. In case of incoming traffic, it is easy to distinguish which services are provided by a particular server and which traffic can be permitted (in addition to this, many services also allow specification of a group of clients which can connect to them). The problem with outgoing traffic is that such precise information often cannot be acquired. The administrator must carefully analyze function and outgoing traffic of individual processes to recognize which traffic is legitimate and which remote stations are used by a particular process. In addition to this, outgoing connections can be established for short time only and in different time intervals (e.g. once a day only). This makes analysis of outgoing traffic even more difficult.
Note: Permitted/Dropped traffic can be viewed in the Network log — refer to chapter 5.5. Recommended Actions.
For setting restrictions for outgoing traffic of individual processes, the following classification can be helpful:
the process does not require any outgoing traffic
the process connects only to certain host (IP addresses) in the local network
the process requires access to the entire local network
the process connects only to certain hosts in the Internet
the process requires unlimited access to the Internet
According to this classification, a corresponding rule which would enable outgoing traffic for a group of relevant IP addresses can be defined.
TIP: It is possible to monitor outgoing traffic of any process using the Network log. In the Network Policy section of the administration interface, create a rule allowing all outgoing traffic for a particular process and enable logging of all traffic matching this rule. After some time, the Network log will include information on outgoing connections of the process. This information can be used for creation of rules related to outgoing traffic of the process.