yzT wrote: » By application: Http in Http out Ssh in Ssh out ... ...
DevilWAH wrote: » how many devices and networks are you managing? that gets very messy after a few thousand hosts and dozen or more networks, and a few hundred protocols. if I say can you tell me how may devices in network 192.168.3.0 / 24 have incoming access and what are the protocols allowed. with a rule based based on protocols you need to check very rule to find out. its easy to set up rules but not so easy to trouble shot and monitor.
Christian. wrote: » I'm not a fan of zones at all. I prefer Checkpoint's approach where you don't have zones or the full concept of inside/outside/ratings. You configure the different interfaces on the box, and then the OS handles incoming traffic according to your rules. It will forward the traffic or not according to what you defined. So, if a package arrives with src x.x.x.x and with dest y.y.y.y on port abc, the firewall will process it if you have a rule for just that, regardless of the interface were it arrived. Of course, you can configure antispoofing to define what networks he is going to see coming from each interface to avoid spoofing, but you don't have to configure interfaces into the rules. It's one big policy that you can divide with labels depending on business units, applications or similar. If you have a firewall will many interfaces (let's say 8 ) and one server behind eth1 has to talk to many hosts that are behind many of those other interfaces (before it's implemented you don't know if that will be used or not), you will need to define rules for each pair of interfaces (eth1 to eth2, eth1 to eth3, eth1 to eth4, etc). If those destination hosts also have to talk with that source server, you will need more rules on each pair to allow that traffic. It's a mess for something simple, and worse if you need to modify that in a future, or even remove it in a future on a rule base that has been building over time. With checkpoint you only need 2 rules. One where the server is the source and all those servers are the destination. Then, another rule with the opposite, the hosts as source and server as destination. That's it, much easier to setup and you avoid ending with a gazillion rules. If you have to handle a large amount of firewalls (I'm doing over 60, most of them in HA so over 30 environments with multiple interfaces on each device), it can get really messy really fast when you have rules that sometimes have to be deployed in 2 or 3 firewalls at the same time because they are crossing each other. Internal customers don't know any of this or the topology, so it's your job to identify the firewalls that have to be modified and keep requests clean. If you also have to determine pairs for each rule on several firewalls, it would be a full time job just to submit that into forms for approvals and then to deploy them. That's how I see things at least.
