Hi lobstercreed. Thanks for taking the time to reply. Just FYI these are healthy arguments and networking guys are fully engaged and encourage them. To this statement: 'Basically, either learn about networking enough to know how firewalls work and what the experienced network guys are trying to tell you, or admit that's not your bailiwick and quit trying to argue useless semantics.'
I am trying to learn. I don't agree that this is an argument on useless semantics to be honest. That is your opinion which you are of course entitled to.
Let me elaborate a little:
- No browsers involved these are all applications (microservices) we are developing that are talking together
- DLP is a big concern for our company
I don't necessarily agree that this is a semantical argument. The argument was actually the result of a pen test. So say for example I have a rule on a firewall that only
allows port 443. A lot of architecture diagrams I see will display this with a blurb like 'only allow TLS/HTTPS'. Security will look at this and go 'great, only encrypted traffic will traverse this.
I guess what I'm trying to find out is if this is really the case. From some quick coding its not and I can write some code/apps at either end to send un-encrypted data on a protocol other than HTTP/S on port 443. You state: however if my only goal is to allow the HTTPS traffic, and if that happens to include some SSL-VPN traffic, so be it, then all I have to do is allow port 443, just as your networking guys said.
But yet I sent non-http traffic across that ACL.
So from what I have implemented, that ACL on the firewall does not allow/block based on anything other that port. So if protocol enforcement is required we need to look at inspection at the firewall or controls at the app layers or layer VPN atop some of the links we are concerned about.
Appreciate your feedback here.