Most firewall administrators adhere to the policy of "that which is not expressly permitted is denied," which would dictate the use of outbound ACLs. Besides being a good Internet citizen, any DoS attack outbound will consume your available Internet bandwidth, thereby bringing your business to a halt and having an impact on your operation.

Yes, you can use the outbound policy to try and restrict what services your users can use, but it only goes so far. A lot of stuff is now capable of running on port 80, and you can't shut that down. Furthermore, PIX does not have any application inspection (yet), so your mileage may vary on this point.

Personally, I have always recommended the use of outbound ACLs for the DoS reason and the fact that I want to know as much as possible what traffic is going through my firewalls. I also believe Cisco should make that the default behavior of the firewall (as well as disable ping to interfaces), which would be the same default behavior as just about every other major firewall vendor.

I once did a consulting gig for another company that had the default "permit all" policy in place outbound. We discovered they were actively participating in a DoS attack, but no one there knew it, nor could they tell from the volumes of logs generated. That's part of the problem with letting everything out. It can sometimes be very hard to tell the legitimate traffic from the bad stuff.

As for the PDM, it's a lot like tequila: An acquired taste. People either love it or hate it. I use it a lot to monitor traffic such as VPN tunnels, etc. (doing a show crypto ipsec sa in the command line is a pain), but for configuration, I still use the CLI. My major beef with the PDM is it continually inserts commands like 'pdm location' to help it sort out what is connected to what interface. I guess if I used the PDM full time, that wouldn't bother me as much. I do find it a bit slower on our WAN connections, though, so I stick with the CLI.

Thanks for the reply and comments. What you said makes sense and was exactly what I was looking for. I hear you on the making the PIX behavior allow only by permission and deny everything else by default.

I've been pulling logs on the PIX and parsing them to tell me whats going on in preparation to lock it down to allow only what should be rather than permit all from inside to outside. Quick question on this: While the vast majority of my traffic exercises the typical Internet traffic, I do see a certain amount of what I call "noise" that is running primarily in the port range from 2000-3000. I've researched some of the individual ports and it mostly looks like obscure traffic (examples: 3109/personnel protocol, 2280/lnvpoller. 2112/caupcremote). Has anyone seen this type of noise? I'm inclined to allow only the known stuff and deny everything else and wait for a user to call the help desk to assist in determining if this noise was caused with any intent. I really can't pin this noise down to any legimitate application. This could take some time as I'll probably need to load/unload the inbound ACL on the inside interface if this happens. I've read that the PIX only allows one ACL per interface per direction and that it doesn't really make sense to apply an outbound interface on a PIX. Does anyone have any comment on this?

In regards to the comment on the PIX doing application inspection: We are in the process of implementing the Facetime suite of products to help us out with P2P and IM control. Looks pretty good so far.

PDM: Thanks for the comments here too. I'm still on the fence. I agree that I probably wouldn't manage the configs from here but would probably like to see the stats, etc... Is it difficult to implement?

Thanks