Anyone know a better way for implicit deny rules?

IT_Magician
Building a reputation

Anyone know a better way for implicit deny rules?

Hey Gurus,

 

So we have a customer that is pushing hard for implicit deny. We spoke with Meraki support and they said they do support implicit deny, however in practice it doesn't work. That is because in order for a VLAN to reach the WAN, they said the destination must be set to ANY. So really for a VLAN to reach WAN it needs ANY which means it talks to all VLANs, are we are no where close to implicit deny.

 

Deny Rule.png

 

6 Replies 6
jdsilva
Kind of a big deal

Hey @IT_Magician ,

 

Not to be pedantic, but as soon as you manually specify a rule it's no longer implicit, that's an explicit rule. Implicit rules are those rules that you cannot change or modify, they are just there. Your rule 3 is an explicit rule. The "Default rule" on the end is an implicit rule. 

 

As for your problem, you are going to have to put deny rules before your permit any that deny intranet traffic accordingly. There isn't really a way around this. The point to take away here though is that your permit any statements have specific sources and don't "permit any any" thereby maintaining a higher level of security.  

IT_Magician
Building a reputation

Thanks for sharing, I didn't think there would be a work around. We replaced their Fortigate and the IT team is used to everything being blocked by default and you allow what you want. The concern they have is it opens up for human error to forget to block a new VLAN because everything is allow.

jdsilva
Kind of a big deal


@IT_Magician wrote:

Thanks for sharing, I didn't think there would be a work around. We replaced their Fortigate and the IT team is used to everything being blocked by default and you allow what you want. The concern they have is it opens up for human error to forget to block a new VLAN because everything is allow.


As long as you have specific sources in your permit any rules this shouldn't be a concern. 

PhilipDAth
Kind of a big deal
Kind of a big deal

What are you trying to achieve?

 

Do you want the VLAN to only be able to talk to the Internet, or only be able to talk to internal VLANs and not the Internet?

KarstenI
Kind of a big deal
Kind of a big deal

I am not sure if I really get the problem, but with my customers that want the strictest access-control I typically have 3 or 4 statements per VLAN:

1) Allow to internal ressources (this could be multiple entries)

2) Deny to RFC1918

3) Allow to Internet-Ressources (this could be multiple entries)

(4 Deny to any)

 

And not to forget to place similar rules indo the S2S-Firewall.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
IT_Magician
Building a reputation

I never came back to update this post so doing this now. We did end up figuring out the best way for us to implement implicit deny which I wrote up a guide to hopefully save others the headaches we went through. Implicit deny is possible and the link below shares what we learned and how we do it.

 

Cisco Meraki firewall with implicit deny? Yes, its possible.

Get notified when there are additional replies to this discussion.