Follow the Principle of “Least Privilege”
The most secure approach to policy design is to specifically list the resources to which you want to permit
access. Anything not accounted for in the “permit” rules is denied by the appliance. This approach follows one
of the fundamental design principles of computer security: that access rights should be explicitly required,
rather than given to users by default.
An alternate approach is to create “deny” rules for restricted resources, but permit access to everything else by
default. Here, anything not accounted for in the “deny” rules is accessible, until the final “deny” rule is
processed. This method may be easier to set up, but is more error-prone and thus not as secure.
Of course, you can also use a combination of permit and deny rules. In this case, users are permitted access to
some resources, but denied access to others.
Was This Article Helpful?
Help us to improve our support portal