Firewall – Does the TCP-UDP-Proxy policy in Watchguard open me to security problems


I don't remember seeing this policy since it seems to me like an "all ports open" kind of thing. It is set default "tcp:0(any) – udp:0(any)"
If I disable this, even web traffic wouldn't work although I specifically have the HTTP-proxy policy enabled…
Is this normal? Abnormal? What is the best practice?
I'm dealing with trying to find crpytolocker virus which led me to this…

Best Answer

This rule allows any outgoing traffic, and conversations started by an internal machine. It is fairly common to setup such a rule. I think most of the watchguard models have that rule by default.

With just rule enabled, computers on the Trusted side can open any connection they want. Computers on the External side can reply, but can't initiate a connection.

My guess is that although you have a HTTP proxy policy (which should be From 'Any-Trusted' to 'Any-External'), you don't have rules for DNS traffic - no DNS resolution, so no web traffic.

Best practice is to block everything, then allow the traffic you want. At a minimum for a typical office network, this would be HTTP and HTTPS traffic (optionally through a proxy), DNS (at least for your internal DNS server to connect to the outside world), and email traffic (SMTP, POP3, IMAP, etc...depends on what you use, and might only be allows for your internal email server to connect directly to the outside world).

However, maintaining this can be frustrating. People want to use Adobe whatever for video conferencing, and a contractor needs to access their website on a non-default port, etc. So some people opt to allow all outgoing connections, and worry about filtering what is coming in. Either way can be acceptable, depending on how secure you need to be, how much you trust the Trusted side of the network, and how much time and effort you can devote to maintaining the firewall rules.