Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term Network Egress Control

Training Camp • Cybersecurity Glossary

What is Network Egress Control?

The practice of filtering and monitoring outbound traffic so only authorized data leaves a network, blocking exfiltration, C2 beacons, and IP spoofing.

Glossary > Network Security > Network Egress Control

Understanding Network Egress Control

Network egress control is the practice of inspecting, filtering, and restricting traffic leaving a network so that only authorized destinations, ports, and protocols are permitted to exit. While many defenses focus on what comes in, egress control governs what goes out, blocking data exfiltration, command-and-control communication, and spoofed-source packets.

It is enforced with egress firewall rules, outbound proxies, DNS filtering, and data loss prevention (DLP) tools. A default-deny egress policy permits only explicitly approved outbound flows, for example allowing internal hosts to reach the internet only through a proxy on ports 80 and 443. BCP 38 (RFC 2827) egress filtering drops outbound packets whose source addresses do not belong to the network, preventing hosts from participating in spoofed DDoS attacks. Egress points are also where TLS inspection, URL categorization, and anomaly detection are applied to outbound sessions.

This matters because most attacks must eventually "phone home." Malware needs to reach a C2 server, ransomware operators stage and exfiltrate data, and insiders may attempt to upload sensitive files. Without egress control, a compromised host can freely beacon out and tunnel stolen data over allowed ports. Tight egress policy shrinks that opportunity, turns covert channels into detectable anomalies, and is a common compliance requirement for protecting regulated data.

For example, a finance firm restricts all outbound traffic to a vetted proxy and blocks direct internet access from servers. An endpoint is compromised by malware that attempts to exfiltrate a customer database to an unknown external IP on port 8443. The egress firewall denies the unsanctioned destination and port, the DLP engine flags the large outbound transfer attempt, and the SOC receives an alert. The breach is contained at the egress boundary before any data leaves, demonstrating how outbound control stops an intrusion from becoming a data loss event.

Learn More About Network Egress Control:

Ready to Get Certified?

Turn knowledge into credentials with our instructor-led cybersecurity boot camps.

View All Courses →