This is a network defense design scheme question.
In a scenario where your organization is designing multi-layered firewall deployment and management, how granular do you create rules at each of these three layers?
Example site is a main/HQ site that also houses your data center (basic 3 tier model).
-
Site has your main internet gateway and VPN termination point. As am example, it's a Cisco or other ZBF. It has four zones: (1) Internet, (2) VPNs from other sites/clients, (3) your corporate LAN including data center, (4) Guest/untrusted/Iot.
-
Between your gateway and the rest of your corporate network/datacenter, you have transparent proxy firewall/IPS/monitor. It's bridging traffic between gateway and data center.
-
Within data center, hosts have software host based firewalls, all centrally managed by management product.
Questions:
-
How granular do you make ZBF policies at gateway? Limit it to broad zones, subnets, etc? Get granular by source/destination? Further granular by source/destination/port?
-
How granular do you make rules for transparent proxies between segments? Src/dst? Src/dst/port?
-
How granular do you make rules for host based firewalls? Src/dst? Src/dst/port? Src/dst/port/application/executable?
-
How have organizations you've worked for implemented these strategies?
-
Were they manageable vs effective?
-
Did the organization detect/prevent lateral movement if any unauthorized access happened?
-
What would you change about your organization's firewall related designs?
Rules are defined as narrowly as possible to accomplish the goal.