Move to the new V14 windows based firewall?

falkowich
falkowich W/ Alumni Posts: 10 Security Scout

Hi,

 

We are planing an upgrade from v13 with an "old" and network rules focused firewall setting, to the new windows application based firewall in v14.

 

The problem for us, is that our rules are quite heavily based on normal acl priority based rules.
How do you guys handled the move to the new firewall way of thinking?


We stop all client to client traffic today, except for mgmt networks.
And that's an easy task with the >v14 firewall, but now.. not so much :)

And that is beq I think in the "old" way :)


Very simplified pseudorules below :)

 

1. allow ip $MGMT network
2. allow ip $SRV network
3. allow ip $SPECIAL_CLIENTS (some small subnets on $CLIENT/16) 4. deny ip any $CLIENT network 

This works if the rules are read as the old(normal) way :)
But now everything must be so granular if we try to use our old thinking..

So any Ideas are welcome :)

--
Regards Falk

Comments

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 498 Moderator

    Hi falkowich

     

    New V14 firewall rules have different priority now. Block rules are applied first, and all the rest after that.

     

    So it will match each rule one by one and finally does the default action, if did not match any rule.

     

     

  • falkowich
    falkowich W/ Alumni Posts: 10 Security Scout

    @jamesch wrote:

    Hi falkowich

     

    New V14 firewall rules have different priority now. Block rules are applied first, and all the rest after that.

     

    So it will match each rule one by one and finally does the default action, if did not match any rule.

     

     


    Hi, Thanks for the answer @jamesch.

    But there is no way to set the priority between the different rules anymore? 
    If I understand it right?


    --
    Regards Falk

  • tonke
    tonke W/ Partner Posts: 5 Cyber Knight

    Hello Falk,

     

    you could block unknown connections. So you don't not need explicit deny rules.

     

    Best regards,

    Tonke

  • falkowich
    falkowich W/ Alumni Posts: 10 Security Scout

    @tonke wrote:

    Hello Falk,

     

    you could block unknown connections. So you don't not need explicit deny rules.

     

    Best regards,

    Tonke


    Hello Tonke,

    With our drop rules we want to stop lateral movement if a client is compromised. 
    In this example, are a client in the same AD an unknown connection?

     

    --
    Regards Falk

  • falkowich
    falkowich W/ Alumni Posts: 10 Security Scout

    Hi Mj-perComp,

     

    Thanks for the detailed answer.

    > Your 4 meta-rules are pretty common,
    > but based on an old interpretation of a port/packet based firewall design.
    > Since over 10 years firewalls are deisgned "statefull". 

     

    Tru, I come from network side of things :)

    But now I know what direction we can take with this.
    Going to set everything in lab before doing anything crazy :)


    And sadly I have a few miles to Germany, I'm from up north (Sweden) :)

    --
    Regards Falk

     

This discussion has been closed.