Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

Block all traffic entering and leaving the network, but permit specific traffic based on organizational policies, exceptions, or criteria. This process of permitting only authorized traffic to the network is called whitelisting and limits the number of unintentional connections to the network. By only allowing authorized traffic in and out of your network you can mitigate a wide range of security threats. This control may be tricky to implement, be sure to carefully plan its implementation.

Only allow authorized traffic in and out of your network. This can be accomplished using firewall rules. This includes blocking ports, IP addresses, and the types of websites users can access. Before blocking traffic, carefully document which traffic needs to enter and and exit your network. Document why you have determined to allow some traffic.