|Remove||Item||Quantity × Price|
|Your cart is empty|
Let's face it, host based firewalls are a very very nice feature to increase your network security, with a near-zero deployment cost. IPfilter, Linux, *BSD and then most operating systems started including some sort of host based firewall during their evolution, even Windows did !
So, why near-zero ?
Pretty simple. When you start designing a new infrastructure, in most cases, working as an architect, you will have a clear idea of all the network flow-matrix in your new infrastructure (or, at least, have a very good understanding of it), but when you are not designing it, when you are the system engineer that has this task on an existing infrastructure that he does not know, how do you approach this problem ?
Typically, you go out asking your colleagues (if there are any available), you write to application maintainers/developers (when they have a clue) and often, when you finally get some answers, the project or the billable time is finished. The result is that in most lucky cases you have some sort of policy that allows anything internally and only the exposed interfaces to the Internet (http/https), in all other cases nobody takes the responsability to block some production system due to unknown network flows so a wonderful any/any/any/allow fits the job.
Why don't you take an intelligent approach ? Configure Netflow on your friendly neighborhood spid^H^H^H^H router/UTM, fire up your Fl0wer collector,trace a week of traffic (or even more for more critical or unknown servers), convert it to CSV, import into your spreadsheet and analyze it.
You'll find a wealth of information and your policies will be based on real traffic data, not on "I heard that this application needs...".