hello and welcome to our Network
segmentation course I'm professor world
today's lesson will discuss how to build
firewall policies for east-west traffic
so if you recall our last segment we
talked about a situation where you have
a data center and you've decided to
segment it by placing a firewall inside
of it to allow all the traffic that is
going through that firewall and nothing
else and the challenge that we're faced
with is that we don't really know what
the traffic is what the legitimate
traffic going through that firewall
should be because there was no firewall
there before it was just a switch and we
don't have good records indicating what
needs to communicate with what so how do
we write the policy what we're going to
do now is really suggest a methodology
that you could deploy in multiple ways
to have some structure around how to
build such a policy so the starting
point is you actually place the firewall
in the middle of your network in a place
where it sees all the traffic and you
configure it with a very silly rule that
we all know is bad which is you write a
rule from any to any with any service
allow this is of course a completely
insecure rule so you ask why bother
writing such a rule well the trick is
that a firewall rule also has the
ability to log traffic that it matches
and you can the important thing is to
place in the log column of that any any
any allowed rule to place a log
statement of yes indicating that you
want a record of every connection
hitting this very broad rule and of
course you place the rule it's the only
rule but it's at the bottom of the of
the rules we're
to be adding additional rules above it
as we go on by doing this you're not
breaking any connections that you need
to allow because this is a rule that
allows everything so you can place it in
a production network quite safely and it
will not stop connectivity that you need
so what you do is you place the firewall
and configure it with this very broad
rule with logging turned on and you let
it run for a while a couple of days a
week as long as it takes to generate
meaningful statistics and then you look
that's our phase one and now in the next
phase is what you do is you look at the
logs and look at the traffic that's
being matched by this that this rule you
will see traffic legitimate traffic
going through that firewall you can
start with the busiest talkers so the
busiest servers or the busiest clients
and identify them once you've identified
the assuming that you identify that
there is some connectivity between these
two endpoints so you can write a
specific rule saying from 10.0.0.0 dot
one sixty eight dot zero dot three with
service HTTP allow okay so you've
identified specific traffic that is
legitimate you can write a special rule
just for that traffic now any traffic
that is K is characterized by this rule
that I just wrote will no longer hit the
default allow rule at the end it's
because it will be caught by the rule
above it so basically you're reducing
the amount of log logs that are
generated by the last rule you know the
last rule will hit less and less traffic
and as you go through this process and
you add you add more and more specific
rules above the any twenty to any rule
you're reducing the amount of logs that
this very last
generating now an option for you to
consider is using submit based rules so
perhaps you saw traffic from one
particular IP address to another
particular IP address and you can write
a rule just for that traffic but perhaps
you know that let's say that server has
siblings in similar IP addresses so
instead of writing such a very narrow
rule you could expand it slightly and
future-proof it so you could write
something like from 10000 0/24
from the whole subnet to that same IP
address where the service HTTP so you
can extend a little bit you can
generalize the examples that you saw in
the log to slightly larger subnets that
will future-proof your rules and allow a
slightly more traffic than you've
specifically observed because you know
that there are other pieces that might
come into play so you keep on doing this
and grow grow the policy from the bottom
up while leaving the very last rule
still being the any any any allow rule
and you repeat this periodically for as
long as you need until the stopping
condition is when that very last rule is
not hitting any traffic so it's not
allowing anything because all the
traffic that's going through the
firewall is being allowed by one of the
specific rules that you added above when
that happy day arrives then you can
replace the the log statement and the
allow
action and replace it by deny and now
you have a firewall that's actually
protecting you because all the specific
traffic is allowed by the explicit rules
and the final rule is deny just like we
always want to see in a good configured
firewall last rule is
by default a deny and now you're really
protected so this is a methodology a
process that you could follow completely
manually you could just look at the
rules and the logs and write all of this
by hand or you could use technologies
that assist you in constructing this
policy and give you information as you
go along basically saving some of the
labor of digging through the logs
yourself but fundamentally it would be
the same process just machine assisted
and faster thank you for your attention
