There are ways and there are ways
"ta center by allowing only trusted applications to communicate over approved network paths."
The impression given by statements like this is that this is a default deny, whitelist approach, but using (FTA, and comment) authentication, domain controller, and ipcs to determine if both source and destination are 'known valutes'.
Question: -> how much *additional* network traffic is added by the whitelist to authentication verification, and what are the timecycles like? What sort of authority level is required by the 'firewall' itself in order to run this toolset?