2

In an organization where there exist a network with VLANs where the communication between all VLANs is allowed we are going to install a firewall and define security zones.

The security zones will block all communications by default and we are going to create individual rules for allowing traffic between security zones that need to communicate.

The network is in production with lots of business critical applications and clients communicating all with each other.

What is the best procedure to implement the firewall and the security zones without affecting the production network?

Eloy Roldán Paredes
  • 1,507
  • 12
  • 25
  • probable dupe of http://security.stackexchange.com/questions/54278/dual-firewall-dmz – JOW Nov 20 '15 at 18:00
  • 1
    No. My question is about how to "slowly" or correctly introduce and enable rules without impacting in the network and not what rules should I introduce. – Eloy Roldán Paredes Nov 20 '15 at 18:07

1 Answers1

2

I've got nothing more than common sense to offer.

Tap the network, collect network flows and verify the network flows. Introduce rules to permit those network flows.

When we did this, we discovered that network flows are a long tail distribution. Work from both ends:

  • Work with stakeholders to determine business needs, and document those as firewall permit rules. This requires a lot of soft skill negotiation in tandem with other activities.
  • Study the high traffic flows, validate that they are aligned with business needs, and permit them explicitly
  • Study the low frequency network flows and see if they align with business needs; if not, block them
  • Get access to a blacklist with known bad actors; alarm or block these (this is a good step to use to feed to stakeholders

In each case, when you think you've identified a bad flow, run it as an alarm until you can get stakeholders to agree that it is not aligned with business needs.

Depending on how close you are to your management, I'd measure each of these steps and advertise the results. Measure the bandwidth through your permit rules and your deny rules and let management know that you've preserved teh value of X MB (and at the current price of bandwidth, that's $) And you've denied Y MB of traffic (at the current price, that's $. I'd probably also include that I'm studying ZMB of traffic. Ultimately your work is blocking attack, preserving network for legitimate uses, and significantly advancing the state of the company's continuity of operations, disaster recover and devolution plans.

MCW
  • 2,572
  • 1
  • 15
  • 26
  • Thanks very much. I would add that when all the possible "permits" are identified add as last rule a "disallow everything" to block the not permited traffic. Do you agree? – Eloy Roldán Paredes Nov 21 '15 at 07:20
  • 1
    Yes, in theory. In practice, I don't think you'll ever finish the permits. There will always be one more application that needs to be modelled. (Caveat; when I did this it was for a massive world wide organization; if you have a smaller organization, it may be plausible). Security should be built on the theory that we block that which is not permitted, but operations will make the opposite argument. You indicated that you were looking for a softer approach, so didn't include that final step. – MCW Nov 21 '15 at 11:36