Blog |Follow Nick on Twitter| About

Firewalls will always be a key ingredient to network security, but not all firewalls are equal. Recently I've been forced into documenting how I decide & think about firewall rules...

Strict Firewalling
IMO Strict Firewalling is the traditional way to implement your traffic policies (ACLS), each rule should be as tight as possible... the idea of "any" should not be used at all and ranges should be kept at a minimum; hosts better than subnets, source and destination IPs restricted, specific TCP ports (not ranges) used.

Service Led Firewalling
A term I think I made up, Service Led Fierwalling is where you relax the ACL/policy at the source... to host a DNS Zone you need to allow "anyone" to perform lookups so Strict Firewalling cannot be applied here but you do know the destination and the service so both of these should be defined/restricted as appropriate... you see what I mean here the policy is defined by the "service" provided.

Open Firewalling
Possibly a contradiction in terms but bare with me; there are some instances whereby implementing a firewall provides little benefit, one example I've seen was a customer's security officer wanted an internal firewall (i.e. no internet connection) in front of their Microsoft file server, in order for AD & MS clients to work properly all the MS ports had to be opened... so server guys continuously complained, what exactly is the firewall doing? What is Open Firewalling? It's the process of implementing a black list followed by a white list, rather than the traditional permit then drop processing that a firewall does; I'd create a rule that Drops Prohibited applications (such as P2P or unencrypted protocols) and then create a policy permitting all ports from legitimate IP ranges.

When would I use these?
Your firewall should be broken into zones, each zone meets both security policy and business requirements, you should then apply a firewalling technique to each zone. For example it's not uncommon to have a back-end database which should only ever be accessed by the front end application, therefore it could be in a zone protected by Strict Firewalling; public services such as websites/email servers require flexibility on their source thus require service led firewalling. Occasionally your business or application requirements suggest that firewalling impedes things, using open firewalling to "clean" traffic compromises "security people wanting firewalls" and any historical business/application issues... the firewall is there perhaps protecting against syn-flood attacks & as previously suggested blocking prohibited apps yet the business doesn't see any traditional firewall headaches.

I don't agree you fool!
That's your choice, there's no correct answer to security, the business you work in and the security policy mandated from senior management direct what you do, these are just my approaches :-)



Nick Bettison ©