|
It'll be legen-waitforit
Join Date: Jan 2002
Location: Calgary, Canada
Posts: 7,058
|
Sorry gonna rock the boat here, but if it's a new install; ALWAYS deny first and permit after. The benfits over an above tighter security:
- You make the users/BA/Developers understand their applications better
- If you have an outbreak (inside, which is more likely than a pen outside) you can prevent the "call homes" or reverse DOS saving you from a law suit.
- SOX and other compliancy checks will fail you for not denying.
The best is to have defense in depth, router on inside doing routing and traffic shaping, firewalls doing rule enforcement, and router on outside policing traffic to prevent DOS's etc.
Good luck
__________________
Bob James
06 Cayman S - Money Penny
18 Macan GTS
Gone: 79 911SC, 83 944, 05 Cayenne Turbo, 10 Panamera Turbo
|