Managed Network Edge · Deep dive 03

Egress rules that would have caught Salt Typhoon

The espionage campaign of the year lived on edge devices and quietly tunnelled data out. A secure internet gateway on Azure Firewall, billed at Azure cost, is where you stop that.

Draft outline · Security / cost lens
The anchor

CISA advisory AA25-239A documented the China-linked Salt Typhoon campaign compromising around 600 organisations across 80 countries, living on edge routers, adding GRE tunnels for persistence and capturing TACACS+ authentication traffic. The lesson for an agency: outbound is a control surface, not an afterthought.

Sources we build on
Journalism

Government and CNI-focused journalism tracking the campaign, its scale and its edge-device tradecraft.

Primary

Joint government advisory detailing the TTPs, including GRE tunnelling and TACACS+ capture.

Article outline
  1. Why the edge device. It is the one box with no EDR, and it sees all the traffic.
  2. What Salt Typhoon did with it. Persistence via GRE tunnels, credential capture, quiet exfiltration.
  3. Egress as a first-class control. Default-deny outbound, allow-listed destinations, ISM-aligned rule policy.
  4. On Azure Firewall. Rule collections, logging to the SIEM, and the managed operating model.
  5. The commercial line. Fixed monthly management, Azure billed at cost, 0% markup.
How it aligns to what we do

Blends the security case (a campaign every government reader knows) with the commercial model that defines the product: fixed management fee, Azure at cost. It shows we manage the outcome, not resell Azure at a markup, which is a direct shot at the big-vendor opacity our persona is tired of.

Points to hit
Control it ratifies
ISM / E8 ISM network management and egress-filtering controls; supports monitoring guidance by shipping edge logs to the managed SIEM.