Even if next generation firewalls are at our door (filtering at applications level – layer 7), most firewalls are still working with source and destination ports.
I often see firewall change requests submitted by customers to add rules like: “Allow traffic between X and Y” without further details. And when you ask them which ports to allow, the classic answer is “All of them”.
A golden rule for network administrator is “Know your network!“. Ideally, all the traffic passing on wires must be identified and “unknown” traffic must be automatically classified as “suspicious”. If your users ask you to allow all the traffic between two hosts/networks, ask them which application they would like to use. Maybe they won’t be able to give you more details. But investigate! Search how the application works and which port(s) is(are) required.
Allowing all the traffic could have side effects:
- Badly protected servers could be exposed to bad guys;
- Users could exchange non allowed traffic over your network;
Avoid the “Any” keyword like the plague! To stop ping-pong communications between the involved parties, set up a procedure based on a “change request” document that will be filled by users for all new change in the firewall policy. The document must contain a zone where they can explain (with English words – not bits & bytes) what they would like to do.
Finally, don’t be afraid to give a negative answer if you think the traffic could affect the network security or if some details are missing in the document! (but stay polite and explain your decision)