Hi, everyone. Ed Amoroso, here. Now I want you to take a minute and think about how the antivirus software on your PC works. What does it do? It has a list of stuff that it's looking for. These are called signatures, any virus signatures or patterns. And it'll say, "Oh, do I see this anywhere? No. Do I see this anywhere? No. Do I see this anywhere"? Goes all the way through its signatures and when it's done, if didn't find anything that it was looking for, it goes, "Okay, you can use your PC. No problem. You're all set". That's called a default allow security tool. It means, "I'm going to think up a bunch of bad stuff, and if I can match on any of the bad stuff, then I'm going to do something like not allow you to use the machine. But if I can't think of the bad stuff, anything I can think of, I'll let you on. Default allow". Now, in contrast, a firewall will typically work in a very different way. Just the opposite, in fact. So let's pop up our typical towers here with the different rules. And let's look at rule, source IP, destination IP, and so on, and what you'll see is that each of the successive rules in a packet filter are analyzed successively. We go from the top of the page down, that's how semantics of how the computation is done. I compare against the first rule. Does it match? Do the action. I look at the second rule. Does it match? I do the action. All the way down to the N minus oneth rule. And if it matches there, great. If it doesn't, then I get to the Nth or last rule, and that's going to be a default rule at any packet. Have to do something. You have to have some decision you're going to make, because the philosophy in a firewall is that it probably want to block things that it didn't think up faster or think up in the context of my rule development. So the default rule in a packet filter is going to block. So here's what that means. Let's say you have no rules whatsoever that you develop and you put a packet filter in place. You enable it and you go, go. What's going to happen? There's no rules. It's going to match on every packet. It's going to block everything. You've now just put in place something akin to snipping the wire. So that wouldn't be very useful unless that was your purpose. Unless you really wanted to snip the wire then put a packet filter in with one default block rule. Probably not all that useful. But now, let's say, you say, "I'd like to let people do whatever. I want to allow domain name system packets into my enterprise. And that's the only thing I want to do". Okay. So you put rules in there that allow that, and then the default rule blocks everything else, which means if I don't think to specifically allow, then you're not getting in. It's way more secure, but way less convenient. Meaning, it's a lot of obligation then for the firewall team. Whoever's doing the firewall, that packet filtering, and you'll see a little bit of proxy to make sure you have rules in there for whatever your business really needs. So a lot of times, when people are in the business of doing firewall development, and setup in operations, or so on for a company, they'll tell you funny stories about the initial soak period where they put these things in place and everybody is always mad at them. This group can't get to the Internet, they can't get this application, and step-by-step, you put in place the things that need to be put in place, and eventually all the complaining dies down, and you've got all the things you need followed by a default block rule. That's the nice smooth situation if only life were that simple. It's usually not that simple. But at any rate, you get the idea that antivirus is default allow, firewalls are default block. The former is more convenient, less secure, the latter is more secure, less convenient. That makes sense? Now, let's do a little quiz to test our understanding of this. I guess that's a little odd because when you put in all of the above and none of the above, then it might be a logical inconsistency. Doesn't even matter, because the answer is C. So the answer is the default rule prevents access if a given service is not specifically enabled. So that gives you some idea of the power of this default block rule. it really is something that's important. And it's helped firewalls become part of the backbone of every enterprise security architecture. We'll see you on the next video.
