In some cases firewall administrators feel tempted to use “any” within an allow firewall rule, either because something isn’t working or to simplify their job.
Common examples of “any” within allow firewall rules
- Worst scenario: allow any protocol from any source to any destination. Such a rule allows everything through the firewall.
- Allow all outbound network traffic: any host or a single host on the internal network has unrestricted access to any destination.
- Allow all inbound traffic: any host or a single host on the outside network has unrestricted access to a specified internal destination.
- Allow all protocols between two hosts or networks: the two hosts or the hosts on the two networks have unrestricted access to each other.
Why is it bad to use “any” within an allow firewall rule?
First of all, it’s very bad for security:
- Permissive firewall rules can expose critical or vulnerable services and hosts.
- Attackers can gain unauthorized access to your network and its components.
- Attackers can steal data from your network.
- Worms can spread and infect your entire network.
Secondly, the firewall no longer acts as a strong control point for the traffic flowing through it:
- Apart from the security issues mentioned above, for example, you cannot control your users’ behavior.
- Your users can access any Internet service or application they want, exhausting Internet bandwidth and becoming unproductive.
- Overlapping firewall rules; the allow “any” rule may permit traffic that you consider you have blocked with another rule.
How to avoid using “any” within an allow firewall rule?
As a rule of thumb, never use “any” within allow firewall rules in order to prevent both security and traffic flow control issues; make sure your rules allow only needed traffic.