Firewalls will always be a key ingredient to network security, but not all firewalls are equal. Recently I've been forced into documenting how I decide & think about firewall rules...
Strict Firewalling
IMO Strict Firewalling is the traditional way to implement your traffic
policies (ACLS), each rule should be as tight as possible... the idea
of "any" should not be used at all and ranges should be kept at a
minimum; hosts better than subnets, source and destination IPs
restricted, specific TCP ports (not ranges) used.
Service Led Firewalling
A term I think I made up, Service Led Fierwalling is where you relax
the ACL/policy at the source... to host a DNS Zone you need to allow
"anyone" to perform lookups so Strict Firewalling cannot be applied
here but you do know the destination and the service so both of these
should be defined/restricted as appropriate... you see what I mean here
the policy is defined by the "service" provided.
Open Firewalling
Possibly a contradiction in terms but bare with me; there are some
instances whereby implementing a firewall provides little benefit, one
example I've seen was a customer's security officer wanted an internal
firewall (i.e. no internet connection) in front of their Microsoft
file server, in order for AD & MS clients to work properly all the MS
ports had to be opened... so server guys continuously complained, what
exactly is the firewall doing? What is Open Firewalling? It's the
process of implementing a black list followed by a white list, rather
than the traditional permit then drop processing that a firewall does;
I'd create a rule that Drops Prohibited applications (such as P2P or
unencrypted protocols) and then create a policy permitting all ports
from legitimate IP ranges.
When would I use these?
Your firewall should be broken into zones, each zone meets both
security policy and business requirements, you should then apply a
firewalling technique to each zone. For example it's not uncommon to
have a back-end database which should only ever be accessed by the front
end application, therefore it could be in a zone protected by Strict
Firewalling; public services such as websites/email servers require
flexibility on their source thus require service led firewalling.
Occasionally your business or application requirements suggest that
firewalling impedes things, using open firewalling to "clean" traffic
compromises "security people wanting firewalls" and any historical
business/application issues... the firewall is there perhaps protecting
against syn-flood attacks & as previously suggested blocking prohibited
apps yet the business doesn't see any traditional firewall headaches.
I don't agree you fool!
That's your choice, there's no correct answer to security, the business
you work in and the security policy mandated from senior management
direct what you do, these are just my approaches :-)