No any-any allow rules
Demonstrate that all firewall, router ACL, and network security group rules enforce explicit source and destination restrictions, and that no rule permits unrestricted any-to-any traffic flows across security boundaries.
Description
What this control does
This control prohibits the configuration of overly permissive firewall or network access control list (ACL) rules that allow traffic from any source to any destination on any protocol or port (any-any-any rules). Such rules effectively bypass network segmentation and access control enforcement by creating unrestricted pathways through security perimeters. The control requires that all network policy rules specify explicit source addresses, destination addresses, protocols, and port ranges based on legitimate business requirements and the principle of least privilege.
Control objective
What auditing this proves
Demonstrate that all firewall, router ACL, and network security group rules enforce explicit source and destination restrictions, and that no rule permits unrestricted any-to-any traffic flows across security boundaries.
Associated risks
Risks this control addresses
- Lateral movement by attackers who gain initial access to any network segment, allowing them to pivot freely across the entire environment without restriction
- Exfiltration of sensitive data through unrestricted outbound connections to attacker-controlled infrastructure without detection or blocking
- Malware propagation across network segments including from compromised endpoints to critical servers and databases
- Bypass of DMZ segmentation allowing direct access from untrusted zones to internal production systems
- Inability to enforce compliance requirements for network segmentation such as PCI DSS cardholder data environment isolation
- Reduced effectiveness of intrusion detection and security monitoring due to inability to establish expected traffic baselines
- Accidental or malicious deletion of more restrictive rules being masked by overly permissive catch-all policies
Testing procedure
How an auditor verifies this control
- Obtain current firewall rulebase exports, router ACL configurations, and cloud security group policies from all network security enforcement points including perimeter firewalls, internal segmentation firewalls, and virtualization platform security policies
- Parse each ruleset to identify rules where the source field is configured as 'any', '0.0.0.0/0', '::/0', or equivalent wildcard designations
- For identified rules with any-source configuration, examine whether the destination is also configured as 'any' or a wildcard equivalent
- Review rules with both any-source and any-destination to determine if service/port fields are also unrestricted (any protocol, any port, or IP protocol 'any')
- For any identified any-any rules, obtain documented business justification and review against network architecture diagrams to validate whether the rule serves a legitimate segmentation design or represents an exception
- Verify that any documented exceptions follow change control procedures, include time-bound expiration dates, and have been approved by designated security authority
- Cross-reference findings against vulnerability scan results and penetration test reports to determine if any-any rules have been exploited or identified as high-risk findings
- Test enforcement by reviewing firewall logs for traffic flows permitted by overly broad rules and validate that no production traffic relies on any-any rules for normal business operations
Where this control is tested