Firewall Rules: Explicit Deny vs Implicit Deny

Quick Definition: Firewall rules can either allow or deny traffic. Explicit deny rules will block traffic when it meets specific parameters, whereas implicit deny rules will block all traffic not matching a firewall rule of any type. 

Like airport security staff vetting passengers, firewalls work to manage who, or in this case, which traffic, can enter and leave the network. Firewalls are one of many security functions that help prevent unauthorized access to a network, and even between individual segments within a network. 

Firewall rules can either allow, block, or drop connection requests inconspicuously, depending on how the rules are configured and how specific traffic triggers those rules.

The function of a firewall is to manage connections, and this article will discuss two specific firewall functions: explicit deny and implicit deny. Both of these options prevent connections, but each functions differently and supports different use cases. 

What are Firewall Rules?

Firewall rules work as a form of if-then statements defined by network administrators, each being triggered by a condition tied to the actions of network traffic. Every packet moving through the network is compared to the list of firewall rules, and once a rule is found that matches the traffic’s attempted behavior, the corresponding action is taken against that traffic. 

Firewall rules evaluate traffic based on information such as:

• Source and Destination IP addresses

• Port and Protocol (TCP, UDP, ICMP)

• Direction (whether the traffic is entering or exiting the network)

Types of Firewall Rules

Firewalls do one of two things: they either allow or deny traffic. Allowing traffic is relatively straightforward, but firewalls typically have several methods for denying traffic, which will be discussed in the following sections. 

Allow Rules

Allow rules do just that, they allow traffic to pass from source to destination because specific criteria were met that matched the ruleset. A typical condition for traffic to be allowed is the use of secure ports, such as SSH or HTTPS. 

Deny Rules 

If traffic is not allowed to pass, it will be denied permission to proceed through the network. Some common reasons traffic is denied include traffic originating from an untrusted source or traffic being sent via insecure ports, such as Telnet or HTTP. 

Purpose of Deny Rules in Network Security

Deny rules are crucial to protecting networks from traffic that may be unauthorized, malicious, or otherwise suspicious. Firewall rules help network administrators focus on managing smaller sets of traffic within an environment by blocking all other traffic. Referring back to the analogy made in the introduction, managing security becomes much easier when security staff only need to focus on ticketed passengers past the designated security checkpoints. 

What is the Explicit Deny Firewall Rule?

Explicit deny firewall rules block traffic based on matched criteria within the firewall rules. For example, firewall rules may establish explicit deny rules against a list of known malicious IP addresses, and any traffic sent by one of those IP addresses will be blocked without hesitation. Keeping the analogy going, passengers with weapons in their carry-on luggage are explicitly prohibited from passing through the security checkpoint at an airport. 

Implementation in Network Hardening

Explicit deny rules are especially useful for blocking traffic from known malicious IPs, enforcing network segmentation, and meeting compliance or regulatory requirements.

Benefits of Explicit Deny Rules

Here are a few reasons why explicit deny rules are helpful in network security: 

Granular Control Over Network Traffic

Explicitly defining criteria for unwanted traffic enables network administrators to precisely control what traffic is not allowed onto the network. This helps reduce the attack surface, and reduces the risk of unintentionally blocking traffic that should be allowed. 

Prevention of Unauthorized Access 

Explicit deny rules override allow rules that may unintentionally be too permissive. Having that explicit deny rule in place acts as a safety net to catch what could have otherwise been dangerous to the network.

Defense Against Known Threats

IP addresses, ports, and protocols can often be attributed to malicious activity or known malware. Blocking those known attributes prevents malicious activity. Explicit deny rules can block command-and-control (C2) traffic, filter traffic from known malicious networks, and prevent internal assets from reaching out to external IP addresses associated with the dark web.

What is the Implicit Deny Firewall Rule?

Implicit deny rules are the true safety nets of the firewall ruleset. If traffic is neither explicitly denied nor explicitly allowed, it will be blocked by the implicit deny rule out of an abundance of caution. Firewall rules are read from top to bottom, and if a packet has not matched any other rule by the time the bottom of the list is reached, the implicit deny rule will take effect. This is a principle of zero trust.

Implementation in Network Hardening

Most firewalls are designed with this zero-trust principle in mind to deny traffic that isn’t otherwise explicitly allowed automatically. This configuration reduces the risk of accidentally allowing traffic when not entirely sure how it should be handled. 

Benefits of Implicit Deny Rules

There are several benefits to implicit deny rules, including: 

Default Deny Stance

Requiring network administrators to create explicit rules to allow traffic and denying everything else helps ensure unexpected traffic does not sneak its way onto the network. It is much easier to keep track of what should be allowed, rather than all the possibilities that should not. 

Reduction of Attack Surface

Denying all traffic that isn’t explicitly allowed leaves attackers fewer approach vectors. 

Mitigation of Zero-Day Threats

When new vulnerabilities are discovered, implicit deny rules prevent new and inventive ways in which vulnerabilities may attempt to exploit networks to form connections and send malicious packets. 

What are the Differences Between Explicit Deny and Implicit Deny?

It's likely clear by now that these rules are very different. However, examining exactly how each type of rule varies can help clarify their purpose and how they work. 

Control Granularity

Explicit deny specifically targets traffic listed in the firewall ruleset; it has a selective impact. An implicit deny rule denies all traffic that does not match an existing rule; it has a universal impact. 

Default Behavior

With explicit deny rules, administrators must define which traffic to block based on specific criteria. Implicit deny rules apply to all traffic that does not match a specific rule. 

Impact on Network Performance

Explicit deny rules require manual input and will impact resource utilization as the firewall evaluates each rule and determines how to handle the traffic. Implicit deny rules do not add any network overhead because all traffic not matched to a rule is dropped. 

Use Cases and Scenarios

Explicit deny rules should be used to block traffic that is known to be malicious or that violates the organization’s policies. Implicit deny rules should be used as the bedrock of your firewall rules; all traffic is denied when there’s no explicit rule explaining how it should be handled. 

Conclusion

Firewall rules are a crucial component of network hardening. Allow rules define which traffic is permitted on the network based on specific criteria, while deny rules prevent traffic that should not be permitted on the network. Denial rules come in two main forms: explicit and implicit.

Explicit deny rules are prescribed based on criteria that match characteristics of known malicious traffic, such as known bad IP addresses and insecure ports. Implicit deny rules enforce the principle of zero trust, denying all traffic not specifically permitted in the firewall rules. To minimize risk and reduce attack services, both explicit and implicit deny rules should be used. 

To learn more about firewalls and network administration, explore cybersecurity training from CBT Nuggets.