Guess it depends on whether you take a....default deny or default allow stance.
I've always been a default deny type....and everybody here tends to follow that convention. So, its implicitly deny everything, and explicit allow only that which is expressly permitted. Though there are a few places where I've had to do the implicitly allow all, and then explicitly deny things. Usually places where there had never been a firewall before, but now we need to protect or enforce policy.... And, that's for inbound. For outbound, we've always been default allow all...and that's the end of it. Though we are being pressured to change the practice to be default deny all, and be explicit on what goes out. And, there's one place where I had started looking at it....our public unix servers. I had thought the previous admin had it locked down...but found that its not, and there's all kinds of stuff that shouldn't be going on...but is, and I don't know if its okay or not. Someday I should find some time to sift through the logs again.... ----- Original Message ----- > I always prefer the explicit Deny - it makes troubleshooting at 3am > so > much easier when you see the rule right there and don't have to > remember > if something negated (Cisco I'm looking at you) the explicit deny > somewhere (or even that it exists) > > On 3/22/2012 4:25 PM, Paul Graydon wrote: > > Aloha, > > > > I was tasked with clearing up some ambiguities in our firewalls. > > Nothing too major, just some irritating stuff for the most part > > (commenting all the rules etc), but I got to wondering: > > > > Which is better practice, to have an explicit Deny / Deny at the > > end > > of an access list, or leave it to the implicit one? > > _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
