01-21-2021 10:34 AM
Hi Everyone,
I'm looking for recommendations for the best methodology you follow for a typical internet access on the firepower firewalls. For this case people are allowed to use the internet for personal use (social, videos, email etc) so long as it is not deemed inappropriate. ACLs are obviously more locked down for access to other areas within the network, servers etc. The goal is block them from the obvious risks but there is trust placed in the end user actions and the end user security.
The methodology I am thinking is best is :
Is a final allow all something typically done or do most organizing still allow specific ports and application then block everything else??
I appreciate any feedback you can give for what methodology you follow.
Thank you,
Solved! Go to Solution.
01-21-2021 11:41 AM
Well if those applications you haven't yet allowed would normally hit a http/https rule. Create a rule at the bottom of the rule set permitting http/https with logging enabled and block everything else. This would be a kind of happy medium between manageability and security.
01-21-2021 10:50 AM - edited 01-21-2021 10:52 AM
Hi @Alex-Pr
Thats a comprehensive list you have there. I'd consider also creating an SSL Policy and blocking revoked certificates, self-signed, invalid issuers, weak ciphers and old versions (SSL 3.0 and possibly TLS 1.0).
Permit only what you need and use a default deny
HTH
01-21-2021 11:26 AM
Thanks Rob,
That policy you mention is a good idea.
The part I am a bit torn about is the default allow or default deny specific to this outbound initiated traffic. I find quite often that new application especially related to web streaming either update or change and the FTD may not have the updated VDB list so packets get blocked because it either did not recognize the application or it's an application we haven't allowed yet so it turns into a bit of a game of wack a mole. When I look a the block list there isn't anything that jumps out at me as a risk so I wonder if changing to the model of default allow and hope that all the rest of the checks has the ability to detect and block the malicious traffic. Having the long allow list that you constantly update with a default block is definitely the safer bet but I am curious how many people go down the route to rely on the smarts of all the steps.
Thanks again.
01-21-2021 11:41 AM
Well if those applications you haven't yet allowed would normally hit a http/https rule. Create a rule at the bottom of the rule set permitting http/https with logging enabled and block everything else. This would be a kind of happy medium between manageability and security.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: