Wednesday, January 23, 2019

Managing firewall rules for dozens of sites?

How do you guys go about managing firewall rules with multiple sites that connect over VPN? Do you allow anything in the LAN zone across the VPN? Do you filter by subnet? By user/groups matching?

We have 30+ sites and right now it's free-for-all. However, I'm trying to lock things up a little bit.

Our current setup right now has 3 sites that provide resources for the 30 remote sites (DC's, File Sharing, Applications, etc)... All the remote sites connect via VPN to the 3 main sites.

However, we have a VLAN at a remote site for example that operates our point of sale systems. Obviously it doesn't need access to all our resources, except DC's to authenticate, WSUS, WDS, and Print Server. When I map out the rules on paper, it seems overly excessive and difficult to manage. Especially since WSUS/WDS share the same subnet as some application servers.

Goal is to try and improve security but at the same time, creating host/IP networks or host/IP groups in our firewall for 30+ sites that have 40+ subnets each is going to be very time consuming and possibly cause performance issues on our firewalls. Not to mention thousands of firewall rules.

I was thinking of limiting it down to three rules, the last one being the free-for-all if it doesn't match the first two, but then things like Apple TV's will have access to everything.

Example:

Rule 1

Source Zone: LAN, Network: Any

Destination Zone: VPN, Network: Application Servers, Printing, File Share

Match Users: Domain Users

Rule 2

Source Zone: LAN, Network: Any

Destination Zone: VPN, Network: Any

Match Users: Domain Admins

Rule 3

Source Zone: LAN, Network: Any

Destination Zone: VPN, Network: Any

Match Users: Disabled



No comments:

Post a Comment