This is a network defense design scheme question.

In a scenario where your organization is designing multi-layered firewall deployment and management, how granular  do you create rules at each of these three layers?

Example site is a main/HQ site that also houses your data center.

  1. Site has your main internet gateway and VPN termination point. As am example, it’s a Cisco or other ZBF. It has four zones: (1) Internet, (2) VPNs from other sites/clients, (3) your corporate LAN including data center, (4) Guest/untrusted/Iot.

  2. Between your gateway and the rest of your corporate network/datacenter, you have transparent proxy firewall/IPS/monitor. It’s bridging traffic between gateway and data center.

  3. Within data center, hosts have software host based firewalls, all centrally managed by management product.

Questions:

  • How granular do you make ZBF policies at gateway? Limit it to broad zones, subnets, etc? Get granular by source/destination? Further granular by source/destination/port?

  • How granular do you make rules for transparent proxies between segments? Src/dst? Src/dst/port?

  • How granular do you make rules for host based firewalls? Src/dst? Src/dst/port? Src/dst/port/application/executable?

  • How have organizations you’ve worked for implemented these strategies?

  • Were they manageable vs effective?

  • Did the organization detect/prevent lateral movement if any unauthorized access happened?

  • What would you change about your organization’s firewall related designs?