When you talk to vendors or attend a security course, they tell you to do this or that according to your site's security policy, but they rarely attempt to explain what a security policy is or how to write or evaluate one. This is why we have included this chapter in the book. Firewalls and other perimeter devices are active security policy–enforcement engines. As we examine the material, we discuss the fact that organizations often have unwritten policies. In the first half of this chapter, we explore the task of mapping policy to perimeter architectures and translating policy to enforceable firewall rules. In the second half of this chapter, we consider an approach to developing policy that requires understanding authority, ...