Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

02) Were the firewalls implemented using a deny all policy, with rules built around your organisation’s requirements?

August 30, 2022
Network and Cloud Security
Firewall Rules

Answer yes if the firewalls were implemented with a 'deny all' policy, and each rule was only added when a business requirement was identified, documented and approved by an authorised individual.

What is the control?

A fundamental best practice of information security is to deny by default. This means that systems should always deny access unless it is not explicitly allowed. In the case of network firewalls, this means that all connection attempts should be refused by a blanket “deny all” rule unless a more specific rule says otherwise.

Why should I have it?

If we were to have to explicitly deny all unwanted traffic it would require creating rules against potentially millions of types of traffic and sources.

What these types of traffic and sources are would be virtually impossible to list or predict. It also means that we might allow unneeded traffic types or sources that we didn’t necessarily consider as possibly malicious.

It’s far more effective to deny all traffic and then allow what we know to be required, or “good”, traffic. This also allows us to assess and document all the allowed sources more effectively.

Another benefit of this approach is that if something is missed, it is almost certain to be noticed due to the application not working and someone raising a functional issue, the investigation of which would reveal the need for the firewall rule. Conversely, an unnecessarily open port or protocol would likely go unnoticed and present an ongoing avenue of exposure.

How to implement the control

Your network security policy should dictate that all access is to be denied unless specifically allowed. This should be implemented through the application of “deny all” rules on all firewalls which can only be overruled by a more prescriptive rule.

Note: It’s important to understand the exact syntax and command order to use in implementing such rules as not all firewall vendors operate in the same way. This can cause dangerous misconfigurations, so care in ensuring configurations are correct is critical.

There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture in a way that meets your business and technical requirements.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.