Filtering outbound Internet traffic is a very unpopular topic among network administrators, end users, and pretty much everyone else. That's because it's an inconvenience, and the sad truth is that convenience almost always wins over security and safety. Nevertheless, if you are not filtering your outbound traffic, you have a gaping hole in your security that needs to be addressed.
As I have often said, how many crocodiles are in the moat doesn't matter if someone can be tricked into lowering the drawbridge. Filtering outbound Internet traffic provides an essential layer of protection against someone who has been fooled in just that way. Think of it like a backstop in a baseball game-- even if the catcher doesn't catch the ball, or a foul tip goes flying, the fans watching behind home plate are still safe. Outbound Internet filtering means that even if an employee who doesn't know any better-- or can't know any better-- clicks on a malicious link that to all appearances looks legitimate, that person's computer and anything else connected to it still has a measure of protection.
You can't count on you or your employees to be able to know the difference between a legitimate link and a malicious one, or even a legitimate Microsoft account prompt and a fake one. Both of those will be using a real Microsoft logo and even an experienced professional will probably not be able to spot the deception without actually taking the risk of going to the site to see what's behind it. One mistake is all that is necessary to open the floodgates. Once a criminal has access to even a single computer in your company, all of your data is at risk.
The first place to start is the obvious-- or at least what should be obvious to anyone who has worked in IT more than a few minutes. Start with protocols. The two that carry the majority of Internet traffic are TCP and UDP. A network administrator can easily restrict outbound traffic to a very short list of protocols:
These four protocols will cover most useful Internet traffic apart from email. In many cases, these will cover email as well, especially if email is viewed through a web browser, which uses HTTPS. Other email technologies may require one or more of these protocols:
As you can see, this is quite a manageable list. Anyone who tries to argue that this is too difficult or too inconvenient to implement and maintain is suspect and needs to be challenged if not replaced outright with a more competent network administrator. Meanwhile-- any traffic that is not on this list should be suspect. Why allow TCP port 43762 outbound around the clock on the off chance that someone might need it some day-- when all that is necessary is to open a ticket and have a technician allow the port if it really is necessary? Yes, TCP and UDP each have 65,536 possible variations-- almost none of which are necessary. Why leave the barn door unlocked all day if almost no one needs to get into the barn?
The second and perhaps more important area that needs to be restricted is actual domain names. Do you or your employees truly require around the clock access to every single web site on Internet? Most likely, the answer is "no, of course not." When pressed, most people could implement an allow list that includes only one or two hundred sites. At a bare minimum, a good firewall can restrict various categories. If, for example, you don't block pornography, you could be leaving yourself open to sexual harassment litigation if an employee decides that you're fostering a hostile work environment. If you don't block Facebook and that ilk-- maybe even "news" sites loaded with gossipy click-bait-- you're encouraging employees to waste time instead of working. Instead of you or your IT provider just saying, "we don't do that," you should be having a discussion with a lawyer and your IT provider to make sure that your firewall implements your legal obligations effectively.
As far as the occasional exception is concerned-- look into the possibility of appointing the most competent person in the office to be able to override a block, or better still, have a separate computer that has no outbound restrictions and is on a network completely separate from all the other computers. If that computer is compromised, it can be quickly reformatted and a fresh copy of its operating system installed. The best practice, of course, is for the IT firm to review and approve any exceptions or modifications to the rules programmed into the firewall.
In the end, a managed network by definition requires outbound filtering as well as inbound filtering-- that's what management is all about. By not filtering outbound traffic aggressively, you're throwing away half the value of your firewall-- perhaps more-- and a good argument can be made that you may as well have a $50 router from Best Buy as that will give you basic protection from criminals trying to break down the door with a battering ram, so to speak. A firewall is not a "magic box" that somehow knows what to exclude and what to allow. Like any other computing device, it does only what it is programmed to do. If it is programmed to allow traffic, it will allow it. If your network management firm claims that outbound filtering is not necessary, start looking for a new company that will truly manage your network.