Move to the new V14 windows based firewall?

Aspirant

Move to the new V14 windows based firewall?

Hi,

 

We are planing an upgrade from v13 with an "old" and network rules focused firewall setting, to the new windows application based firewall in v14.

 

The problem for us, is that our rules are quite heavily based on normal acl priority based rules.
How do you guys handled the move to the new firewall way of thinking?


We stop all client to client traffic today, except for mgmt networks.
And that's an easy task with the >v14 firewall, but now.. not so much :)

And that is beq I think in the "old" way :)


Very simplified pseudorules below :)

 

1. allow ip $MGMT network
2. allow ip $SRV network
3. allow ip $SPECIAL_CLIENTS (some small subnets on $CLIENT/16) 4. deny ip any $CLIENT network 

This works if the rules are read as the old(normal) way :)
But now everything must be so granular if we try to use our old thinking..

So any Ideas are welcome :)

--
Regards Falk

1 ACCEPTED SOLUTION

Accepted Solutions
Superuser

Re: Move to the new V14 windows based firewall?

Hi Falk,
as Tonke is on holiday leave today, let me answer that.


The basic idea of a local firewall is to protect the local host, not others. Others have to protect themselves.

Your 4 meta-rules are pretty common, but based on an old interpretation of a port/packet based firewall design. Since over 10 years firewalls are deisgned "statefull". That means outbound traffic to port X allows the response from addressed remote system to respond without specially allowing traffic from that remote system to the local host.

So your adapted metarules would read as:
I guess that systems belonging to $MGNT would be e.g. an inventorizing Server or Software Management System. $Special_Clients include Helpdesk and Admin PCs.

1)  "allow inbound traffic from $MGNT"
     "allow inbound traffic from $Special_Clients"
These are the only two rules you need to create (Arrow pointing left for "inbound")

2)   "allow unknown outbout traffic"
       "deny unknow inbound traffic"
These rules are static rules from Defender Firewall always at the end AFTER all other rules if enabled from F-Secure. They do not appear in the rules listing

Last but not least you have to activate "Ignore all firewall rules that are not listed in this profile" to disable all Windows firewall rules.

do NOT activate "Block all inbound connections". This is a windows built in rule and will really block all inbound traffic, as it is applied BEFORE all other rules.

It should be clear, that the rules in 1) should not be applied on systems in $Special_Clients, otherwise they could compromise other systems inside $Special_Clients. (Similar with $MGNT). So as these have elevated rights they need to be protected spcially and Admins should generally not be allowed to remotely work on a Client from their own system where they read mails or do office stuff.

(In case you are located in Germany: we (perComp) regularly offer workshops, maybe you want to have a look)

Hope this helps
Matthias

Matthias
----------
perComp is a Platinum Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de

6 REPLIES 6
Moderator

Re: Move to the new V14 windows based firewall?

Hi falkowich

 

New V14 firewall rules have different priority now. Block rules are applied first, and all the rest after that.

 

So it will match each rule one by one and finally does the default action, if did not match any rule.

 

 

Aspirant

Re: Move to the new V14 windows based firewall?


@jamesch wrote:

Hi falkowich

 

New V14 firewall rules have different priority now. Block rules are applied first, and all the rest after that.

 

So it will match each rule one by one and finally does the default action, if did not match any rule.

 

 


Hi, Thanks for the answer @jamesch.

But there is no way to set the priority between the different rules anymore? 
If I understand it right?


--
Regards Falk

Highlighted
Aspirant

Re: Move to the new V14 windows based firewall?

Hello Falk,

 

you could block unknown connections. So you don't not need explicit deny rules.

 

Best regards,

Tonke

Aspirant

Re: Move to the new V14 windows based firewall?


@tonke wrote:

Hello Falk,

 

you could block unknown connections. So you don't not need explicit deny rules.

 

Best regards,

Tonke


Hello Tonke,

With our drop rules we want to stop lateral movement if a client is compromised. 
In this example, are a client in the same AD an unknown connection?

 

--
Regards Falk

Superuser

Re: Move to the new V14 windows based firewall?

Hi Falk,
as Tonke is on holiday leave today, let me answer that.


The basic idea of a local firewall is to protect the local host, not others. Others have to protect themselves.

Your 4 meta-rules are pretty common, but based on an old interpretation of a port/packet based firewall design. Since over 10 years firewalls are deisgned "statefull". That means outbound traffic to port X allows the response from addressed remote system to respond without specially allowing traffic from that remote system to the local host.

So your adapted metarules would read as:
I guess that systems belonging to $MGNT would be e.g. an inventorizing Server or Software Management System. $Special_Clients include Helpdesk and Admin PCs.

1)  "allow inbound traffic from $MGNT"
     "allow inbound traffic from $Special_Clients"
These are the only two rules you need to create (Arrow pointing left for "inbound")

2)   "allow unknown outbout traffic"
       "deny unknow inbound traffic"
These rules are static rules from Defender Firewall always at the end AFTER all other rules if enabled from F-Secure. They do not appear in the rules listing

Last but not least you have to activate "Ignore all firewall rules that are not listed in this profile" to disable all Windows firewall rules.

do NOT activate "Block all inbound connections". This is a windows built in rule and will really block all inbound traffic, as it is applied BEFORE all other rules.

It should be clear, that the rules in 1) should not be applied on systems in $Special_Clients, otherwise they could compromise other systems inside $Special_Clients. (Similar with $MGNT). So as these have elevated rights they need to be protected spcially and Admins should generally not be allowed to remotely work on a Client from their own system where they read mails or do office stuff.

(In case you are located in Germany: we (perComp) regularly offer workshops, maybe you want to have a look)

Hope this helps
Matthias

Matthias
----------
perComp is a Platinum Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de

Aspirant

Re: Move to the new V14 windows based firewall?

Hi Mj-perComp,

 

Thanks for the detailed answer.

> Your 4 meta-rules are pretty common,
> but based on an old interpretation of a port/packet based firewall design.
> Since over 10 years firewalls are deisgned "statefull". 

 

Tru, I come from network side of things :)

But now I know what direction we can take with this.
Going to set everything in lab before doing anything crazy :)


And sadly I have a few miles to Germany, I'm from up north (Sweden) :)

--
Regards Falk