The overall goal of a best practice internet gateway
security policy is to use positive enforcement of allowed applications.
However, it takes some time to identify exactly what applications
are running on your network, which of these applications are critical
to your business, and who the users are that need access to each one.
The best way to accomplish the end goal of a policy rulebase that
includes only application allow rules is to create an initial policy
rulebase that liberally allows both the applications you officially
provision for your users as well as other general business and,
if appropriate, personal applications. This initial policy also
includes additional rules that explicitly block known malicious
IP addresses, bad applications as well as some temporary allow rules
that are designed to help you refine your policy and prevent applications
your users may need from breaking while you transition to the best
practices.