The risk of allowing UDP traffic through a layered firewall architecture

The risk of allowing UDP traffic through a layered firewall architecture

We have a layered firewall architecture. Would it be safe to allow UDP traffic through the second layer of firewalls? Meaning the components in the first layer (Internet facing) require UDP communications with devices in our second tier and possibly to our internal network. With defensive measures in place, is it safe to allow this type traffic?


    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

If you have blocked all UDP traffic from the outside, then you are safe from that UDP traffic. Allowing UDP traffic from the first layer nodes to the second layer, and perhaps to the inside network, does allow for malicious insiders to exploit the same UDP vulnerabilities you are protecting against from the outside. If this is an acceptable risk, then yes, it is "safe" to allow that type of traffic. If you are concerned about the insider risk, then no, it is not safe.

In general, you should deny all traffic and only allow that traffic that is needed. If you need specific UDP ports to be opened in the second tier for your setup to work, then only open those specific ports. There is no need to open them all, if only certain ones are needed.

What you need to do is balance the risk of allowing those communications with the operational need to have them. If the risk is considered to be low enough by someone with the authority to make that decision, then go ahead. What you really have is what is known as an Accreditation decision.

For more information on this topic, visit these other SearchSecurity resources:
Ask the Expert: Determining which TCP/IP services are needed
Ask the Expert: Explanation of ports


This was first published in April 2002