Implicit and Explicit Denial Rule in Firewall

Implicit and Explicit Denial Rule in Firewall

Happy Tuesday!!


The purpose of this article is to discuss implicit denial and explicit denial within a firewall, and what they mean.

Imagine an exclusive conference (Cisco Live) where only invited or registered guests are allowed to attend. You won't get in if you're not on the list. This is a very common way to control access to exclusive events. Imagine we took a slightly different approach, and created a list of everyone who isn't allowed into this event. Well, in this case, there are millions and millions of people on this list. It would take forever for me to check if someone is on that list. This approach is really unmanageable. We can keep a list of people who are allowed in much easier than a list of people who are not allowed in because there are so many more people who are not allowed in. That's how we want to approach firewall rule sets. Our goal is to have a list of traffic that is allowed in and deny everything else.


Explicit Deny all


access-list 100 permit tcp any any eq 80        
access-list 100 permit tcp any any eq 443        
access-list 100 permit udp any any eq 53        
access-list 100 deny ip any any        


The first three statements above are like our registered guest list in Cisco Live. We are only allowing traffic into these three ports. I don't need a list of every single port ever created. Any other port that does not match these three will be denied. With an explicit statement, it is denied.


At the end of the rule set, we explicitly state that everything is denied. Anything that doesn't match the previous statements is denied. That's different from an implicit denial, since we're explicitly stating it.


Implicit Denial All


access-list 100 permit tcp any any eq 80        
access-list 100 permit tcp any any eq 443        
access-list 100 permit udp any any eq 53        


The function is still the same byt with an implicit denial. We have the same three statements specifying what we want to allow, but there is nothing at the end. Most firewalls operate in a mode of implicit denial, which means they have a statement at the end denying everything. By default, things are automatically denied unless you explicitly allow them. The Zero Trust Model is one where nothing is implicitly trusted. Our only ports that can be trusted are those that are necessary, everything else is untrusted. As a result, the basic thought process here is to block everything and then observe what happens. It's not the most convenient method, but the more secure something is, the less convenient it is. Access-lists might block legitimate traffic. In those cases, we will have to observe and create the most specific openings possible. Firewall rules should be very granular, you don't want to have a blanket rule set


Key Notes:


Explicit Statement:

Explicit statements in a firewall mean that we are explicitly denying or allowing some traffic. It's an explicit statement, something the firewall has a statement for.


Implicit Statement :

Does not have a statement, so we can use an implicit denial, which is essentially a firewall rule that denies everything. You might not see that rule but its there. Thats an implict denial.





To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics