Move to the new V14 windows based firewall?
Hi,
We are planing an upgrade from v13 with an "old" and network rules focused firewall setting, to the new windows application based firewall in v14.
The problem for us, is that our rules are quite heavily based on normal acl priority based rules.
How do you guys handled the move to the new firewall way of thinking?
We stop all client to client traffic today, except for mgmt networks.
And that's an easy task with the >v14 firewall, but now.. not so much
And that is beq I think in the "old" way
Very simplified pseudorules below
1. allow ip $MGMT network 2. allow ip $SRV network
3. allow ip $SPECIAL_CLIENTS (some small subnets on $CLIENT/16) 4. deny ip any $CLIENT network
This works if the rules are read as the old(normal) way
But now everything must be so granular if we try to use our old thinking..
So any Ideas are welcome
--
Regards Falk
Comments
-
Hi falkowich
New V14 firewall rules have different priority now. Block rules are applied first, and all the rest after that.
So it will match each rule one by one and finally does the default action, if did not match any rule.
1 -
@jamesch wrote:Hi falkowich
New V14 firewall rules have different priority now. Block rules are applied first, and all the rest after that.
So it will match each rule one by one and finally does the default action, if did not match any rule.
Hi, Thanks for the answer @jamesch.
But there is no way to set the priority between the different rules anymore?
If I understand it right?
--
Regards Falk0 -
Hello Falk,
you could block unknown connections. So you don't not need explicit deny rules.
Best regards,
Tonke
1 -
@tonke wrote:Hello Falk,
you could block unknown connections. So you don't not need explicit deny rules.
Best regards,
Tonke
Hello Tonke,
With our drop rules we want to stop lateral movement if a client is compromised.
In this example, are a client in the same AD an unknown connection?--
Regards Falk0 -
Hi Falk,
as Tonke is on holiday leave today, let me answer that.
The basic idea of a local firewall is to protect the local host, not others. Others have to protect themselves.
Your 4 meta-rules are pretty common, but based on an old interpretation of a port/packet based firewall design. Since over 10 years firewalls are deisgned "statefull". That means outbound traffic to port X allows the response from addressed remote system to respond without specially allowing traffic from that remote system to the local host.
So your adapted metarules would read as:
I guess that systems belonging to $MGNT would be e.g. an inventorizing Server or Software Management System. $Special_Clients include Helpdesk and Admin PCs.
1) "allow inbound traffic from $MGNT"
"allow inbound traffic from $Special_Clients"
These are the only two rules you need to create (Arrow pointing left for "inbound")
2) "allow unknown outbout traffic"
"deny unknow inbound traffic"
These rules are static rules from Defender Firewall always at the end AFTER all other rules if enabled from F-Secure. They do not appear in the rules listing
Last but not least you have to activate "Ignore all firewall rules that are not listed in this profile" to disable all Windows firewall rules.
do NOT activate "Block all inbound connections". This is a windows built in rule and will really block all inbound traffic, as it is applied BEFORE all other rules.It should be clear, that the rules in 1) should not be applied on systems in $Special_Clients, otherwise they could compromise other systems inside $Special_Clients. (Similar with $MGNT). So as these have elevated rights they need to be protected spcially and Admins should generally not be allowed to remotely work on a Client from their own system where they read mails or do office stuff.
(In case you are located in Germany: we (perComp) regularly offer workshops, maybe you want to have a look)
Hope this helps
Matthias8 -
Hi Mj-perComp,
Thanks for the detailed answer.
> Your 4 meta-rules are pretty common,
> but based on an old interpretation of a port/packet based firewall design.
> Since over 10 years firewalls are deisgned "statefull".Tru, I come from network side of things
But now I know what direction we can take with this.
Going to set everything in lab before doing anything crazy
And sadly I have a few miles to Germany, I'm from up north (Sweden)
--
Regards Falk0
Categories
- All Categories
- 4.7K WithSecure Community
- 3.6K Products
- 1 Get Support