The overall goal of a best practice internet gateway
security policy is to use positive enforcement of whitelist applications.
However, it takes some time to identify exactly what applications
are running on your network, which of these applications are critical
to your business, and who the users are that need access to each
one. The best way to accomplish the end goal of a policy rulebase
that includes only application allow rules is to create an initial
policy rulebase that liberally allows both the applications you
officially provision for your users as well as other general business and,
if appropriate, personal applications. This initial policy also
includes additional rules that explicitly block known malicious
IP addresses, bad applications as well as some temporary allow rules
that are designed to help you refine your policy and prevent applications
your users may need from breaking while you transition to the best
practices.