For better security: always "block all" or "block in all" is enough?

[Greg Hennessy]

> If, as you say, there are "Governance, Risk, and Compliance reasons", 
> perhaps you'd like to specify one or two for each category?

Start with an ISMS derived from 27k, add a soupcon of PCI DSS requirement 10, Basel II, throw in SOX 404 or an SAS 70 type II audit, you get the picture. 

> Logging a default deny on an internal firewall, yes - ok - I agree with you, that's probably reasonable.

Only probably? How much 'commercial' firewall work have you done again, seriously ?
 
>  However, logging every blocked packet on an internet facing firewall is plain daft. 

Saying it doesn’t make it so. 

> Even the storage requirements would be somewhat onerous, 

Storage is cheap. Damage to reputation caused by being in breach of regulatory requirements w.r.t log retention is not. 

> and that's before trying to process the data into something meaningful.  
> And all to confirm that there's a lot of noise and port scanning going on.

Or it's part of a much larger picture which is fed into an SIEM system for event correlation and consequent alerting. 

Firewalls are not the only security control points


Greg