Complexity is a common adversary of security, implying that fewer rules means stronger rules. The naive firewall admin might first suppose that a default deny rule for incoming traffic is the most secure standing. This demonstrates a commendable start towards understanding homeopathic firewalls, but fails to take into consideration the holistic nature of a firewall to control traffic from the bad Internet into and — here’s the catch — out of a protected network. The homeopathic law of symmetric unopposition demands that a remedy be inversely applied in order to truly be effective. Bad traffic from the Internet is not supposed to traverse the firewall into the protected network. Good traffic from the protected network is expected to pass through the firewall to the Internet.
Consequently, the secure, homeopathic firewall should be configured to accept all incoming traffic and deny all outgoing traffic. By concentrating the firewall’s power into a single, uncomplicated rule it will be able to block the deadliest attacks imaginable against the network. French security researchers, inspired by l’Hospital’s rule regarding limits, are investigating the possibilities of removing a firewall entirely in order to reach greater magnitudes of protection. This technique, though grounded in mathematical rigor, must be employed with care; remember that one (i.e. a network) divided by zero (i.e. no firewall) is undefined and therefore provides uncertain security, but l’Hospital’s rule suggests that one divided by ever-decreasing values that approach zero very carefully (i.e. installing the firewall, then removing it bit by bit) leads to infinity — the best protection possible!