Define the Initial Internet Gateway Security Policy
The goal of a best practices internet gateway security policy is to use positive enforcement of
allowed applications. However, it takes time to identify the exact applications that run
on your network, which applications are critical to your business, and who needs to
access to each application. To create a Security policy based on application allow
rules, start with a rulebase that liberally allows the applications you officially
sanction for users, and tolerated general business applications and personal
applications (if appropriate for your business).
The initial policy includes rules that explicitly block known malicious IP addresses and
applications, and temporary allow rules that help refine your policy and preserve
application availability while you transition to a best practices policy.
To apply consistent security policy across multiple locations, you
reuse templates and template stacks so
that the same policies apply to every internet gateway firewall at every location.
Templates use variables to apply device-specific values such as IP addresses, FQDNs,
etc., while maintaining a global security policy and reducing the number of
templates and template stacks you need to manage.
The following topics describe how to create the initial rulebase, describe why each rule is
necessary, and illuminate the risks of ignoring best practices recommendations:
