Most of the time we consider firewall as packet filtering devices so if we are bringing up new services/DMZ/security partitions when we hear we are permitting all traffic we assume that all traffic will pass.
Of course this is not right, there are a few other things
Firewalls have to route, and most of the time it is static, so if the guys forget to add the routes you might need traffic does not forward.
Also depending on vendor, firewalls will have TCP session timers (to prevent certain DDOS attacks), here some sessions were timing out because the firewall had a timer different than the application
They may also by default block UDP or ICMP (cisco traceroute uses UDP but microsoft trace route uses ICMP), so a trace route from your PC works but from a network device does not.
Finally some firewalls will switch traffic in hardware but you have to TELL it to do that, in one case Citrix truned on the session recovery feature that uses a different TCP port than normal and the new port was not configured to hardware accelerate so CPU hit 85% and slow response time occured. To get out of this we had to enable the hardware accelleration and then kill all the active connections.
Like I said, permit any any is not the end of your firewall issues
No comments:
Post a Comment