This is a network defense design scheme question.
In a scenario where your organization is designing multi-layered firewall deployment and management, how granular do you create rules at each of these three layers?
Example site is a main/HQ site that also houses your data center (basic 3 tier model).
Site has your main internet gateway and VPN termination point. As am example, it's a Cisco or other ZBF. It has four zones: (1) Internet, (2) VPNs from other sites/clients, (3) your corporate LAN including data center, (4) Guest/untrusted/Iot.
Between your gateway and the rest of your corporate network/datacenter, you have transparent proxy firewall/IPS/monitor. It's bridging traffic between gateway and data center.
Within data center, hosts have software host based firewalls, all centrally managed by management product.
Questions:
How granular do you make ZBF policies at gateway? Limit it to broad zones, subnets, etc? Get granular by source/destination? Further granular by source/destination/port?
How granular do you make rules for transparent proxies between segments? Src/dst? Src/dst/port?
How granular do you make rules for host based firewalls? Src/dst? Src/dst/port? Src/dst/port/application/executable?
How have organizations you've worked for implemented these strategies?
Were they manageable vs effective?
Did the organization detect/prevent lateral movement if any unauthorized access happened?
What would you change about your organization's firewall related designs?
What sources of technical controls does your organization use?
Do you base device/operating system configurations on:
How closely rigorously does your organization enforce change management for policies or settings?
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models
Learn more about: Implementing Least-Privilege Administrative Models
This is not an ad.
Does anyone have experience with Tenable products?
I'm interested in real world experience regarding:
I'm playing with Tenable Security Center and Nessus Scanner. I'm early in the deployment, just looking for pointers and whether anyone has used it?
What alternatives is your org using if not?
Can you compare?
Edit, if anyone is interested, I can post results and opinions here also.
https://www.lavazzausa.com/en/whole-bean-coffee/crema-aroma
Crema e Aroma is a whole bean coffee made from carefully selected Arabica and Robusta beans. It's a creamy coffee ideal for your milk-based recipes and preparations.
https://globalnews.ca/news/10375175/ladies-lounge-mona-kirsha-kaechele-lawsuit-gender-discrimination-australia/
Artist Kirsha Kaechele arrived at the Tasmania courtroom alongside 25 women dressed in navy business attire, all of whom made a show of reading feminist texts in the courtroom.
https://public.cyber.mil/stigs/
https://7minsec.com/projects/projects-podcast/
The 7 Minute Security Podcast What is it?The 7 Minute Security podcast is a weekly audio podcast (show notes are here) that started with 7-minute episodes - though they're typically much longer now :-) - and features some of our favorite security topics:Penetration testingVulnerability assessmentsTechnical security tools/tips/techniquesDiscussions of certifications
https://securityonionsolutions.com/
https://www.indystar.com/story/opinion/columnists/2024/02/23/senate-bill-202-conservatives-left-out-of-indiana-colleges/72705625007/
The Indiana General Assembly is right to scrutinize progressive colleges, columnist Michael Hicks writes.
@redfox
@infosec.pub