This week’s network security tip focuses on implementing a “deny” firewall rule at the end of the ruleset as a method to prevent traffic from going where its not wanted in the network. Justin, a senior security professional from Trinidad suggests, “End your rule base with a clean-up rule or a ANY ANY DENY rule.”
Matt, a Sr. Systems Engineer from the US expands on this: “Deny policies at the end of your rule set help make sure you catch traffic that’s trying to go to the wrong zone, so it is important to have every combination covered. Make sure you have enough deny policies between your zones with this factorial math equation: (number of zones)! / (number of zones -2)! = (number of possible two-way combinations). 3 zones with deny policies each way would mean you need 6 policies – 3! / 1! = 6. 10 zones means you need 90 unique policies – 10! / 8! = 90.”
As always, please share your own tips by commenting on this blog or sending us a Direct Message on Twitter via @AlgoSec.
Receive notifications of new posts by email.