How do you guys go about managing firewall rules with multiple sites that connect over VPN? Do you allow anything in the LAN zone across the VPN? Do you filter by subnet? By user/groups matching?
We have 30+ sites and right now it's free-for-all. However, I'm trying to lock things up a little bit.
Our current setup right now has 3 sites that provide resources for the 30 remote sites (DC's, File Sharing, Applications, etc)... All the remote sites connect via VPN to the 3 main sites.
However, we have a VLAN at a remote site for example that operates our point of sale systems. Obviously it doesn't need access to all our resources, except DC's to authenticate, WSUS, WDS, and Print Server. When I map out the rules on paper, it seems overly excessive and difficult to manage. Especially since WSUS/WDS share the same subnet as some application servers.
Goal is to try and improve security but at the same time, creating host/IP networks or host/IP groups in our firewall for 30+ sites that have 40+ subnets each is going to be very time consuming and possibly cause performance issues on our firewalls. Not to mention thousands of firewall rules.
I was thinking of limiting it down to three rules, the last one being the free-for-all if it doesn't match the first two, but then things like Apple TV's will have access to everything.
Example:
Rule 1
Source Zone: LAN, Network: Any
Destination Zone: VPN, Network: Application Servers, Printing, File Share
Match Users: Domain Users
Rule 2
Source Zone: LAN, Network: Any
Destination Zone: VPN, Network: Any
Match Users: Domain Admins
Rule 3
Source Zone: LAN, Network: Any
Destination Zone: VPN, Network: Any
Match Users: Disabled
No comments:
Post a Comment