: Define the Initial Internet Gateway Security Policy
Focus
Focus

Define the Initial Internet Gateway Security Policy

Table of Contents

Define the Initial Internet Gateway Security Policy

The goal of a best practices internet gateway security policy is to use positive enforcement of allowed applications. However, it takes time to identify the exact applications that run on your network, which applications are critical to your business, and who needs to access to each application. To create a Security policy based on application allow rules, start with a rulebase that liberally allows the applications you officially sanction for users, and tolerated general business applications and personal applications (if appropriate for your business).
The initial policy includes rules that explicitly block known malicious IP addresses and applications, and temporary allow rules that help refine your policy and preserve application availability while you transition to a best practices policy.
To apply consistent security policy across multiple locations, you reuse templates and template stacks so that the same policies apply to every internet gateway firewall at every location. Templates use variables to apply device-specific values such as IP addresses, FQDNs, etc., while maintaining a global security policy and reducing the number of templates and template stacks you need to manage.
The following topics describe how to create the initial rulebase, describe why each rule is necessary, and illuminate the risks of ignoring best practices recommendations: