Skip to content

Intent based firewall rules

Every company I have worked with has always had a transactional firewall process. Yes there are some that use automations in the backend, but from a customer perspective it works like this:

  • Customer decides they need connectivity through the network.
  • Customer submits a request to allow that connectivity
  • The connectivity is analysed, it is decided if changes are required, the changes are the made
  • The customer then tests the connectivity

Then thats it!

Thats a bit weird though isn't it, normally when something that is critical to the infrastructure you are deploying is done, you want to have some ownership of it.....you want a receipt, or maybe an easy path to follow it up and see if it is still working.

The folly of transactional

So essentially there... I've requested something that is key to my apps functionality. I've given it to another team, they've done it and told me to accept that it is done correctly and will remain in place to some undetermined time in the future.

What are the problems with this:

  • I don't 'own' the rule, I am just a person that put in a request at some point in time
  • They may not have done anything! The rule could have been already allowed
  • In which case my infrastructure now is reliant on a rule that was requested by someone else and has no relation to my project.
  • I cannot easily change the rule
  • I have no way to remove the rule to re-secure my application if I no longer need that flow
  • once a firewall rule is in place it is traditionally very hard to take out.

Fixing the wrong problem

This 'transactional' nature of firewall requests within organisations is often a major area of focus.

How can we put the rules in faster! Get rid of all this process bloat!

So teams generally focus on two methods to make this faster:

  • Removing security controls and oversight
  • We shouldn't be checking everything lets just get it in, we don't need zero-trust for most of the network...remove it!
  • 'Service Mesh' or equivalent

Service Mesh is a proven unreachable goal

What do I mean by Service Mesh? Well there are many definitions but essentially it means that you have a CMDB that is so good and so up-to-date, that you can reliably just get customer to request;

Connectivity from App_A to App_B

That being theoretically the only information that you need.

Now that works great in the lab, and it is a great idea, but in reality, no-ones network is that clean and especially no-ones CMDB is that reliable. In some ways the idea of Service Mesh is going to be a goal that is always 'just five years away'

What do we do

Well let me introduce you to an idea

Intention based Firewall rules

Instead of me filling out a form to ask your team for a firewall rule. Imagine this analogy.

The blacksmith and the road

I am a blacksmith in a medieval village, and I decide that in order to efficiently do my business, I need a road directly from my blacksmith workshop to the towns armoury.

I go to the towns notice board one evening and I put a large poster, with my requirement for the road from the blacksmith workshop to the armoury, why I need it and the payment of the towns fee for road building.

The Town

The Town

The Mayor

In the morning, the mayor walks past the noticeboard, he sees a new poster requesting the new road. Now the mayor being the approver of all roads in the town does some analysis:

  • Is this road feasible (i.e. can we deliver it)
  • Has the blacksmith given the required details.

If not the Mayor rips off the poster and throws it away, the blacksmith will have to try again.

If it's ok, the Mayor gets out his mayor seal of approval and marks it as APPROVED

At which point it joins a number of other posters on the notice board as being approved. However, unlike those posters this one only has one seal on it...it is missing a few

The towns workers

The other seals on the other posters include the following:

  • The builders, they have to build the road
  • The suppliers, they make sure the towns material stores can supply the new roads materials
  • The soldiers, they are responsible for the defence of the town. If they road compromises existing defences they need to relocate a wall, or fortify around the new road.
  • The gardeners, they must beautify the road to make sure it meets towns standards

Every one in the town knows that if the poster has first the mayors then the builders, the soldiers and the gardeners seals on it, it is completed and ready for use!

The soldiers

They walk past the poster, quickly they know that the blacksmiths road doesn't change any defenses. So they stamp their seal on the poster.

The suppliers

They know that the towns material supplies are full, so they stamp the seal and move on.

The builders

They see the poster and know they have a bit of work to do. But the builders have also promised the town that any road requested of them will be done in 1 week. So they get building.

Eventually when it is done, they come back and stamp their seal on the poster.

The gardeners

The gardeners have a little bit of work to do and they can't finish before the builders are completed. So they start anyway, but wait until the builders seal is on the poster to do their final sign of and seal the poster.

Back to the blacksmith

After a few days, the blacksmith sees the poster with all the seals. They smile knowing it is completed and they can start shipping product to the armoury.

noticeboard

The noticeboard

The blacksmith also takes responsibility for a few things:

  • They own the poster and are the only one that can take it down (or someone else from the blacksmiths business)
  • If they change the poster in any way, they have to erase all the seals.
  • They commit to the town, if they are no longer using the road. They will take the poster down, potentially giving the town back some resources.

Intended state

  • The blacksmith posted up their intended/required state.
  • The town accepted it and met it.
  • The blacksmiths business owns this requirement and promises to take it down if he doesn't need it.

The cobbler

Now the cobbler has a workshop right next to the blacksmith, and they also need access to the armoury to repair the soldiers shoes and armour.

The cobbler sees the road is already there, however, this road is very important for his business. He cannot just rely on the blacksmith continuously needing to use the road. Plus the town needs to know all the people that are reliant on the road.

So the cobbler puts together a poster and posts it up on the towns notice board.

The seals

The mayor once again comes in the morning, sees the cobblers poster, thinks great it's already there, so he puts the mayors seal of approval on the poster.

The builders, the soldiers, the suppliers and the gardeners all come through and see the poster throughout the day. All see that they don't need to do anything for it, so they all mark it with their seals.

It is now completed!

What does this change

Well for one, at any point in the future the towns people can look at the notice board and see exactly which businesses rely on the road to the armoury.

The blacksmiths and cobblers request process was very clear, they didn't need to negotiate with multiple townsfolk. They put it in the right format and it was accepted by the town (represented by the mayor). If the mayor changes in the future, the seal of their office still remains!

The mayor, the soldiers, the builders, the supplier and the gardeners plus all the other townsfolk can easily look at the noticeboard each day and see that road is a requirement! They cannot overbuild the road or cut it off. The soldiers for example would know they could never build a fortification cutting off that road whilst the posters are still up.

Intention

Now apply this to an enterprise. This system based on the declaration of customer requirements ends up creating a reliable, auditable and well-publicised source of customer requirements.

This source can stand the test of time, through changing teams and responsiblities and also most importantly through the changing technologies and implementations.

That medieval town could be a bustling city in the future, road-building techniques and approvals could be completely different, but still, if it was based off of a valid customer state and intention. New technologies can easily be implemented without effecting new or existing customers.

The major point of this is it moves a transactional high-cognitive load process to one that is based on a simple customer requirement that is correctly implemented and maintained as long as it still was required.