Whenever you look at a firewall rule, half the time you’re going to be asking yourself, “Why is that there? Did *I* put it there? Do we still need it?” It would sure be nice if the explanation were right there, as a comment that could be version-tracked, exported into nice reports, searched on, and placed in a standard format that would be compatible with other exception entries in other tools. (Kind of like a syslog for exceptions.) It would be nice if you could mark a scanner finding as, “We KNOW it’s there. We’re not going to fix it. Just for these two machines, STOP REPORTING ON THIS.”)
Insightful article. I can’t count the number of times I have asked myself exactly this, and hoped for a good, INTEGRATED way of keeping track of these exceptions.