Analyzing Firewall Policy Models and the PIX ASA

Note: this is a slide-show presentation I created in 2002 to explain the impact of the PIX ASA model. Slides are seperated by horizontal rules (lines). It is presented here for reference with anybody struggling with this issue.

Common Policy Models

Blacklist: Allow everything EXCEPT for what is explicitly denied
Whitelist: Deny everything EXCEPT for what is explicitly allowed
Firewalls traditionally default to a Whitelist, as it is more secure with less configuration

Cisco Adaptive Security Algorithm (ASA)

Security Levels on each Interface allow traffic from a higher level to a lower level without any further access configuration (Blacklist)
Default external interface is Level 0 (lowest) and internal interface is Level 100 (highest)
Packets can travel from a high security interface to a low security interface without additional access policy rules
Cisco's ASA sets the default behavior of a PIX as a Blacklist, rather than a whitelist, as is traditionally found in competing firewall vendors.

Benefits of a default Blacklist Firewall Policy

Building and Managing a Firewall Policy can normally be a time-consuming and frustrating process for both the administrators and the users. A firewall with a default Blacklist can be installed without first defining a security policy for the access through the firewall.
With a default blacklist policy it is possible to quickly install a PIX firewall without a significant amount of upfront security competency required by the installers.

Drawbacks of a default Blacklist Firewall Policy

It is more prone to allow undesired behavior and security policy violations, such as reverse-tunnels, trojans, worms and similar attacks.
It is hard to switch from a PIX with a default Blacklist to a Whitelist model

Benefits of a default Whitelist Firewall Policy

Greater security because unknown services and network activity is not allowed by default. This has a great effect on dampening the effectiveness of trojans, viruses and worms.
It is easy to switch a default Whitelist firewall to a Blacklist firewall.

Drawbacks of a default Whitelist Firewall Policy

Installing a Whitelist Firewall takes more up-front time, because the policy of what is to be allowed through the firewall must be determined before it is installed and functional.
Managing a Whitelist Firewall Policy is more time consuming, in a network with actively changing needs and demands
It can be a greater frustration to the users, because they have to follow a process to request and have their new or changing access granted, rather than just having it work when they need it.

Summary

The issue is risk versus time and competency. A Whitelist firewall is more secure than a Blacklist firewall, but takes more time to install and manage. Is the time involved in building and managing a the more secure Whitelist firewall worth it? Or is it Ok to accept the lower security level of the Blacklist Firewall (specifically opening attacks for backdoors using reverse tunnels, trojans, viruses, etc).