Root Del Default

The second in ISC’s ‘Tip for the Day’ is a proposal to remove your default gateway.

Removing the default gateway is an original idea, but it is a move has it’s pro’s and con’s and we think it’s more of a ‘hack’ (in the technical sense) than a real solution.

The authors states that:

Not having a default route in the router network is a great way to minimise the impact of malware on the corporate environment. This practice enforces that gateways are used for all external communications

It is true that it is good practise to only allow what is required. If the machine doesn’t require a default gateway then there is no reason why it should have one.

Inversely, this seems to be a solution to a different problem. The removal of a default gateway from the machine is a damage limitation method due to the common problem of a lack of outbound access policy on network firewalls.

With a default gateway, malware which has infected a machine on the network may attempt to spread over the local network and out to the Internet. In order to gain access out, the machine sends all non-local traffic to its default gateway (which is normally your gateway firewall) which will route the traffic out to the Internet.
From professional experience, most network firewalls are configured by default, to only block access in and not control access out. Should a machine on the network become infected with some viral code then unfettered access to the Internet will only help to spread the infection and further open the network to the Internet.

Removing the default gateway route only limits damage for a specific sub-set of malware. Viral infections which spread on the local network, by unicast or broadcast, would not be stopped by removal of the default route.

A solution to this problem is to re-evaluate the firewall configuration and devise access controls for outbound access through your firewall.
As the author mentions, the use of proxied access to the Internet is advised aswell. With an application layer firewall/proxy you can filter web requests, email and messenging services for any viral code and a good security policy will help defend against any outbreak which might occur.

This entry was posted on Wednesday, August 2nd, 2006 at 5:05 pm and is filed under General, Top Tips. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.

Categories

Articles

Pages

Archives

Search

Links

Root Del Default



Categories E-Mail 419 Scams Phishing Spam Viruses General Daily Review Services Top Tips Security Threats Vulnerabilities XSS 2.0 Articles 06/04 April Report 06/05 May Report 06/06 June Report Email activity in June 06/07 July Report Email Activity in July ECSC Ltd. FireHat Internet Defence The Phishery Pages 419 Scam Archives October 2007 September 2007 August 2007 May 2007 February 2007 January 2007 December 2006 November 2006 October 2006 September 2006 August 2006 July 2006 June 2006 May 2006 April 2006 March 2006 February 2006 January 2006 December 2005 November 2005 August 2005 June 2005 March 2005 July 2004 June 2004 Search Links 06/04 April Report 06/05 May Report 06/06 June Report Email activity in June 06/07 July Report Email Activity in July ECSC Ltd. FireHat Internet Defence The Phishery	« Authentication Systems The Mafia’s Approach to Computer Security » Root Del Default The second in ISC’s ‘Tip for the Day’ is a proposal to remove your default gateway. Removing the default gateway is an original idea, but it is a move has it’s pro’s and con’s and we think it’s more of a ‘hack’ (in the technical sense) than a real solution. The authors states that: Not having a default route in the router network is a great way to minimise the impact of malware on the corporate environment. This practice enforces that gateways are used for all external communications It is true that it is good practise to only allow what is required. If the machine doesn’t require a default gateway then there is no reason why it should have one. Inversely, this seems to be a solution to a different problem. The removal of a default gateway from the machine is a damage limitation method due to the common problem of a lack of outbound access policy on network firewalls. With a default gateway, malware which has infected a machine on the network may attempt to spread over the local network and out to the Internet. In order to gain access out, the machine sends all non-local traffic to its default gateway (which is normally your gateway firewall) which will route the traffic out to the Internet. From professional experience, most network firewalls are configured by default, to only block access in and not control access out. Should a machine on the network become infected with some viral code then unfettered access to the Internet will only help to spread the infection and further open the network to the Internet. Removing the default gateway route only limits damage for a specific sub-set of malware. Viral infections which spread on the local network, by unicast or broadcast, would not be stopped by removal of the default route. A solution to this problem is to re-evaluate the firewall configuration and devise access controls for outbound access through your firewall. As the author mentions, the use of proxied access to the Internet is advised aswell. With an application layer firewall/proxy you can filter web requests, email and messenging services for any viral code and a good security policy will help defend against any outbreak which might occur. This entry was posted on Wednesday, August 2nd, 2006 at 5:05 pm and is filed under General, Top Tips. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed. Comments are closed.