Rule or not to rule ?

[Irek_Romaniuk]

I posted discussion here regarding security policy strategy. Basically I would like to know your opinion on whether to use granular, 'one off' rules or just intrusion and malware inspection. I think that security policy could basically have granular rules ('one offs' per host/port) only for inbound dmz and allow all internal traffic to flow between specific subnets/zones (avoid single hosts and ports listed) under inspection. Let me know.

[jflemingeds]

I posted discussion here regarding security policy strategy. Basically I would like to know your opinion on whether to use granular, 'one off' rules or just intrusion and malware inspection. I think that security policy could basically have granular rules ('one offs' per host/port) only for inbound dmz and allow all internal traffic to flow between specific subnets/zones (avoid single hosts and ports listed) under inspection. Let me know.

I think its hard to say anything besides it depends. I'd say a DMZ shouldn't have unrestricted access in, but it gets really grey when you're talking about internal firewalls. It all starts with knowing what you're protecting. I think in general if you have a source with a lot of places located chances are you need a IA rule. Captive portal is great for this if you can do AD Query. This will make the policies more secure but also much easier to manage.

Worst thing you can have is a giant policy. At that point it becomes a major chore to figure out if things at matching your security policy or not. In addition you end up requiring more and more people to support poking holes in the firewall. This can turn into a major problem if you start having a constant flood of firewall change requests. If nothing more than for the change of human element making a mistake.

A good firewall policy shouldn't need much fiddling with.

[Irek_Romaniuk]

I agree, depends but I think direction is to use inspection and identity awareness like access. I was never able to answer simple question of who have access to what based on any policies I've seen in the past (older than few months). It's like network use static routes instead of dynamic.

[jflemingeds]

I agree, depends but I think direction is to use inspection and identity awareness like access. I was never able to answer simple question of who have access to what based on any policies I've seen in the past (older than few months). It's like network use static routes instead of dynamic.

For sure, that's a main pain point. Assuming we're talking about having AD auth backend, you could use a AI rule that basically allows any valid user in the AD domain to authenticate. Of course you would need to make a list of devices and possible applications that would affect and business would need to understand there could be some interruption, but you already have a quick way to mitigate (just auth to the firewall). You could also do some Identity sharing to the firewall they auth to (again assuming AD Query isn't an option).

Of course static server to server info wouldn't be fixed with this, that would require a static accept rule. It would take a little while but once you have it to where only authenticated users are allowed in then your logs will start painting a picture for you that you can then say is valid or not and then you can start breaking down access by ad group or what not.

All of this assumes heavy buy in from management. The goal is to have as limited business interruption as possible.