Firewall Baseline¶
Default stance¶
Deny by default between all internal networks. Allow only documented traffic.
Zone model¶
| Zone | Trust Level | Notes |
|---|---|---|
| Management | High | Admin systems only |
| Servers | High | Domain controllers and infrastructure servers |
| Workstations | Medium | User devices |
| Printers | Low | Restricted access |
| Voice | Low | Future VoIP |
| Corporate WiFi | Medium | RADIUS-authenticated devices |
| Guest | Untrusted | Internet only |
| DMZ | Untrusted/Semi-trusted | Public-facing services |
| Backup | High | Backup systems and traffic |
Initial rules¶
Management to Servers¶
Allow required administration protocols:
- RDP, only if needed
- WinRM
- SMB admin shares, only if needed
- DNS
- ICMP for troubleshooting
Workstations to Domain Controllers¶
Allow required AD client traffic:
- DNS
- Kerberos
- LDAP/LDAPS
- SMB
- RPC endpoint mapper and dynamic RPC as required
- NTP
Guest network¶
- Allow Internet
- Deny all RFC1918/internal networks
DMZ¶
- Allow Internet as needed
- Deny access to internal networks by default
- Add explicit reverse-proxy or application rules only when required
Logging¶
Log all denied traffic during early phases. Later, reduce noisy logs and keep security-relevant events.