Lastly, the role of site security policy is especially important with regard to firewall administration. A firewall should be viewed as an implementation of a policy; policy should never be made by the firewall implementation. In other words, agreement on what protocols to filter, application gateways, and other items regarding the nature of network connectivity need to be codified beforehand, because ad hoc decisions will be difficult to defend and will eventually complicate firewall administration.
As an example of the above, suppose a firewall is installed that blocks RPC-based traffic from entering or leaving a protected subnet. Later, users on hosts within the subnet wish to use RPC services between hosts on the outside. If no policy exists to defend the RPC filtering rules, it may be difficult to deny access to the hosts, especially if productivity would be impaired by continuing to enforce the filtering. Once exceptions are made, they will most likely continue to be made, until the level of filtering becomes very weak, or the filtering rules become so complex as to be unmanageable.
The example points out that filtering and connectivity policy needs to incorporate not only security needs, but the computing needs of the organization. If the computing needs are ignored or short-changed, the firewall may become too complex to administer or may become essentially useless. Security requirements need to be weighed carefully and accommodations may need to be made if productivity will be hampered by the security policy. In some cases, moving a firewall ``higher up'' in a subnet, such as locating it at a site's Internet gateway as opposed to a subnet, will solve many problems. For more information, [PR91] contains useful advice on creating security policies for Internet sites that incorporate modes of work and network connectivity requirements.