Ingress vs egress: there seems to be a never-ending debate about these terms. They’re kind of archaic and their meaning seems to be different in different situations.
Today, we’ll do our best to try to shed some light on this mystery. We don’t want to get into a philosophical debate, though. Our only goal is to do our best to explain these terms and how they are typically used in the context of networking. But even that, as you’re about to see, can tend to be rather confusing.
We’ll begin by beginning and do our best to define these two terms, first linguistically and then in the specific context of computer networks. We’ll then explain how their meaning can vary based on one’s point of view of based on the scope that we’re contemplating. The same egress traffic in one situation can become ingress traffic in another. Next, we’ll talk about monitoring ingress and egress traffic and introduce some of the best tools you can use for that purpose. But wait! There’s more. We’ll also discuss egress in the specific context of data security and introduce a couple of the best practices to protect yourself against data egress. And, keeping our good habits, we’ll review some of the best SIEM tools that you can use to detect unwanted data egress.
Defining Ingress And Egress
Linguistically speaking, defining either of those words could hardly be easier (pun intended). Let’s see what the Merriam-Webster dictionary has to say about it. It simply and plainly (almost boringly) defines ingress as “the act of entering”. Simple enough, no? And egress is not much more complicated as the same source defines it as “the action of going or coming out”. Here again, a pretty simple definition. If you care to check other sources, you’ll find a definite consensus. Ingress is getting in while egress is getting out.
In The Context Of Network Traffic
But this blog post is not about linguistics, it’s about network administration. And this is were ingress and egress can get a bit more confusing. It’s still the same, though and it has to do with data entering and leaving a network, a device or an interface. So far, nothing complicated. Where it gets tricky, though, is when people don’t agree on what’s in and what’s out. You see, sometimes the ins of one are the outs of another.
It All Depends On Your Point Of View
Ingress or egress, when referring to network traffic, has to do with how you see things, it depends on your point of view. In most other situations, in is in and out is out; there’s nothing confusing about that. This is, however, not so much the case with networks. Let’s try to clarify that using a few concrete examples.
Our first example is that of an Internet gateway. It could be a router, a proxy server or a firewall, that doesn’t matter. It is the device that sits between your local network and the Internet. In this case, I think everyone would agree that the Internet is considered as being the outside and the local network, the inside. So, traffic coming FROM the Internet TO the local network would be ingress traffic and traffic FROM the local network TO the Internet would be egress traffic. So far, it’s still simple.
But if you look at things from a network interface point of view, things get different. In the previous example, if you look at traffic on the LAN interface, traffic going towards the Internet is now ingress traffic as it is entering the gateway. Likewise, traffic going toward the local network is not egress traffic as it is exiting the gateway.
To summarize, differentiating ingress and egress traffic requires that we all agree on what we’re talking about. As we saw, ingress traffic in one context can be egress traffic in a different one. Our best suggestion would be to either avoid using these terms altogether or to clearly state their utilization context every time you use them. That way, you’ll avoid any confusion.
Monitoring Egress And Ingress Traffic
Now that we’re familiar with the terminology, let’s have a look at monitoring ingress and egress traffic. Typically, this is done using special software called network monitoring or bandwidth monitoring tools. These tools use the Simple Network Management Protocol (SNMP) to read interface counters from network-connected equipment. These counters simply tally the number of bytes in and out of each network interface. Note that monitoring tools rarely use ingress and egress and usually refer to traffic in and out of an interface. It is up to you, if you so desire, to determine which is ingress and which is egress traffic, again depending on the specific context.
A Few Tools We’d Recommend
There are many bandwidth or network monitoring tools available. Probably too many and picking the best one—or even just a good one—can be a challenge. We’ve tried many of the available tools and came up with this list of a few of the very best bandwidth monitoring tools you can find.
SolarWinds is one of the very best makers of network administration tools. The company’s flagship product is called the SolarWinds Network Performance Monitor, or NPM. It is a very complete network monitoring solution that features a user-friendly graphical user interface that administrators can use to monitor devices and to configure the tool.
The system uses SNMP to query devices and display their interfaces’ utilization as well as other useful metrics on a graphical dashboard. In addition to this dashboard, various built-in reports can be generated either on-demand or on based on a scheduled execution. And if the built-in reports don’t give you the information you need, they can be customized at will. The package also includes a few useful tools such as the ability to display a visual rendition of the critical patch between any two points of the network. This tool is highly scalable and it will suit any network from the smallest to large networks with thousands of devices spread over multiple sites.
- FREE TRIAL: SolarWinds Network Performance Monitor
- Official download link: https://www.solarwinds.com/network-performance-monitor/registration
The SolarWinds Network Performance Monitor‘s alerting system is another place where the product shines. As its reports, it is customizable if needed but it can also be used out-of-the-box with minimal configuration. The alerting engine is smart enough not to send notifications for “unimportant” events in the middle of the night or to send hundreds of notifications for as many unresponsive devices when the main issue is a down router or network switch upstream.
Pricing for the SolarWinds Network Performance Monitor starts at just under $3 000 and goes up according to the number of devices to monitor. The pricing structure is actually rather complex and you should contact the SolarWinds sales team for a detailed quote. If you prefer to try the product before purchasing it, a free 30-day trial version is available for download from the SolarWinds website.
2. ManageEngine OpManager
ManageEngine is another well-known publisher of network management tools. The ManageEngine OpManager is a complete management solution that will handle pretty much any monitoring task you can throw at it. The tool runs on either Windows or Linux and is loaded with great features. Among others, there is an auto-discovery feature that can map your network, giving you a uniquely customized dashboard.
The ManageEngine OpManager‘s dashboard is super easy to use and navigate, thanks to its drill-down functionality. And if you are into mobile apps, there are apps for tablets and smartphones allowing you to access the tool from anywhere. This is an overall very polished and professional product.
Alerting is just as good in OpManager as are all its other components. There is a full complement of threshold-based alerts that will help detect, identify, and troubleshoot network issues. Multiple thresholds with different notifications can be set for all network performance metrics.
If you want to try the product before buying, a free version is available. Although it is a truly free version rather than a time-limited trial, it has some limitations such as letting you monitor no more than ten devices. This is insufficient for all but the smallest of networks. For larger networks, you can choose between the Essential or the Enterprise plans. The first will let you monitor up to 1,000 nodes while the other goes up to 10,000. Pricing information is available by contacting ManageEngine’s sales.
3. PRTG Network Monitor
The PRTG Network Monitor, which we’ll simply refer to as PRTG, is another great monitoring system. Its publisher claims that this tool can monitor all systems, devices, traffic, and applications of your IT infrastructure. It is an all-inclusive package that does not rely on external modules or add-ons that need to be downloaded and installed. Because of its integrated nature, it is quicker and easier to install than most other network monitoring tools. You can choose between a few different user interfaces such as a Windows enterprise console, an Ajax-based web interface, and mobile apps for Android and iOS.
The PRTG Network Monitor is different from most other monitoring tools in that it is sensor-based. Various monitoring features can be added to the tool simply by configuring extra sensors. They are like plugins except that they are not external modules but are, instead, included with the product. PRTG includes over 200 such sensors that cover different monitoring needs. For network performance metrics, the QoS sensor and the Advanced PING Sensor allow you to monitor latency and jitter while the standard SNMP sensor will let you monitor throughput.
The PRTG pricing structure is pretty simple. There’s a free version which is full-featured but will limit your monitoring ability to 100 sensors. There’s also a 30-day trial version which is unlimited but will revert back to the free version once the trial period is over. If you want to keep monitoring more than 100 sensors beyond the trial period, you’ll need to purchase a license. Their price varies according to the number of sensors from $1 600 for 500 sensors to $14 500 for unlimited sensors. Each monitored parameter counts as one sensor. For example, monitoring bandwidth on each port of a 48-port switch will count as 48 sensors.
Egress In The Context Of Security
There is another use for the term egress among network and system administrators that is specific to the context of data security. It refers to data leaving an organization’s local network. Outbound email messages, cloud uploads, or files being moved to external storage are simple examples of data egress. It is a normal part of network activity, but it can pose a threat to organizations when sensitive data is leaked to unauthorized recipients, either unknowingly or maliciously.
Threats Involving Data Egress
Sensitive, proprietary, or easily monetizable information is often targeted by cybercriminals of all kinds. The release of sensitive or proprietary information to the public or to competing organizations is a real concern for enterprises, governments, and organizations of all kinds. Threat actors may try to steal sensitive data through the same methods many employees use every day, such as email, USB, or cloud uploads.
Best Practices For Preventing Unwanted Data Egress
There’s a lot you can do to protect your organization against unauthorized data egress but a few of them are particularly important. Let’s have a look at two of the bare essentials that you must do.
Create an acceptable use and data egress traffic enforcement policy
Include stakeholders to define your acceptable use policy. The policy should be very thorough and protect your company’s resources. It could, for instance, include a list of approved Internet-accessible services and guidelines for accessing and handling sensitive data. And don’t forget that it is one thing to create such policies but you also need to communicate them to users and make sure they understand them.
Implement firewall rules to block egress to malicious or unauthorized destinations
A network firewall is only one of several lines of defense against threats. It is a good starting point where you can ensure that data egress does not occur without explicit permission.
SIEM – To Help Prevent Data Egress
No matter what you do, monitoring remains one of the best ways to protect against data egress. Whenever data leakage happens, you want to know about it right away so you can act upon it. This is where Security Information and Event Management (SIEM) tools can help.
Concretely, a SIEM system does not provide any hard protection. Its primary purpose is to make the life of network and security administrators like you easier. What a typical SIEM system really does is collect information from various protection and detection systems, correlate all this information assembling related events, and react to meaningful events in various ways. Most of the time, SIEM tools also include some form of reporting and/or dashboards.
Some Of The Top SIEM Tools
To give you an idea of what’s available and to help you pick the right SIEM tool for your needs, we’ve assembled this list of some of the best SIEM tools.
The same SolarWinds that brought us the Network Monitor reviewed above also has an offering for Security Information and Event Management. In fact, it is one of the very best SIEM tools available. It might not be as full-featured as some other tools but what it does, it does very well and it has all the required functionality. The tool is called the SolarWinds Security Event Manager (SEM). It is best described as an entry-level SIEM system but it’s likely one of the most competitive entry-level systems on the market. The SolarWinds SEM has everything you can expect from a SIEM system, including excellent log management and correlation features that can help detect unauthorized data egress and an impressive reporting engine.
As for the tool’s event response features, as expected from SolarWinds, they leave nothing to be desired. The detailed real-time response system will actively react to every threat. And since it’s based on behaviour rather than a signature, you’re protected against unknown or future threats. The tool’s dashboard is possibly one of its best assets. With a simple design, you’ll have no trouble quickly identifying anomalies. Starting at around $4 500, the tool is more than affordable. And if you want to try it first, a free fully functional 30-day trial version is available for download.
2. Splunk Enterprise Security
Possibly one of the most popular SIEM system, Splunk Enterprise Security–or simply Splunk ES, as it is often called–is famous for its analytic capabilities. Splunk ES monitors your system’s data in real time, looking for vulnerabilities and signs of abnormal activity. The system uses Splunk’s own Adaptive Response Framework (ARF) which integrates with equipment from more than 55 security vendors. The ARF performs automated response, letting you quickly gain the upper hand. Add to that a simple and uncluttered user interface and you have a winning solution. Other interesting features include the “Notables” function which shows user-customizable alerts and the “Asset Investigator” for flagging malicious activities and preventing further problems.
Splunk ES is an enterprise-grade product and, as such, it comes with an enterprise-sized price tag. You can’t, unfortunately, get much pricing information from Splunk’s website and you’ll need to contact the sales department to get a quote. Despite its price, this is a great product and you might want to contact Splunk to take advantage of an available free trial.
For the past few years, NetWitness has focused on products supporting “deep, real-time network situational awareness and agile network response”. After being purchased by EMC which then merged with Dell, the Netwitness business is now part of the RSA branch of the corporation. And this is good news as RSA has an excellent reputation in security.
NetWitness is ideal for organizations seeking a complete network analytics solution. The tool incorporates information about your business which helps prioritize alerts. According to RSA, the system “collects data across more capture points, computing platforms, and threat intelligence sources than other SIEM solutions”. There’s also advanced threat detection which combines behavioural analysis, data science techniques, and threat intelligence. And finally, the advanced response system boasts orchestration and automation capabilities to help eradicate threats before they impact your business.
One of the main drawbacks of NetWitness is that it’s not the easiest to set up and use. However, there is ample documentation available which can help you with setting up and using the product. This is another enterprise-grade product and, as it is often the case with such products, you’ll need to contact sales to get pricing information.