Friday, June 26, 2009

Raw unrefined suggestion about firewall rules

Since now we see attacks from inside intranets, using zombie networks, I think it could be a good idea to turn on the firewalls on each machine in the network (including on Windows stations, which I know is sometimes a problem) and to set up a detailed set of rules for them.

My problem was: how to figure out which rules for such a complex problem, so many machines?
My suggestion: why not propose a standard for a single file giving the positive rules necessary for a software to operate?

One file per application, that would come shipped with the application, and would describe all the things that need be open, for the application to work. The file would not describe what set of rules to put on which firewall, but simply what needs to be open.

If we have a look at the TCP/IP layers
TCP/IP layersThis picture from Wikipedia under the GFDL license.
we see that simple firewalls operate on the Internet and Transport layers. Modern firewalls and proxies also operate on the Application layer.
I guess a simple XML dialect could be created to describe which things need be let in and out, on which layer. If this gets standardized or at least RFC'ed, there is a good chance to see opensource software adopt it, both on the application and on the firewall sides. On which case, since opensource is biggest marketshare on infrastructure, others should follow.
(All that raw and unrefined.)


  1. If you do this at the application layer, then the rules description will be on par with the open ports.

    This won't be an added layer of security :-|

    Am I wrong ?

  2. I am not sure about your meaning.
    I mean to write a single file that describes all the needs of the piece of software (positive rule) for each layer.
    Then such files could be fed to the firewall for autoconfiguration.

    Of course, as you mentioned on the phone and as I long defended (also in this blog), only the man's job is real security. Firewall is only a help to shape the traffic, and this idea that I am proposing is only a help to configure the firewall.

  3. I am not sure I did understand the problem. You want to be able to write rules like

    allow my_server run pgsql

    and have a config file that describe the connectivity needs of PostgreSQL, right?

    Well, after working a few years with OpenBSD's pf, I was able to accomplish something similar. Pf is worth learning, and the adoption of pf by FreeBSD is testimony to this :-)

  4. Yeah, it's a complex one and through yours and Day's comments I think I should rather make a new article to put the idea more clearly.

    The idea is simply that an application would self-describe its requirements in terms of opening of networks. The local firewall would then collect those self-descriptions and set the corresponding rules.

    It would allow for a more granular setting of firewalling rules and also for an automated firewall configuration.

    This is at the "personnal firewall" level, but you could also imagine a centralized system that would allow for automatic configuration of the main corporate firewall, in agreement with a policy, of course.


I can read French, English, German and Romanian, please feel free to write in whichever language you prefer.