I've got nothing more than common sense to offer.
Tap the network, collect network flows and verify the network flows.
Introduce rules to permit those network flows.
When we did this, we discovered that network flows are a long tail distribution. Work from both ends:
- Work with stakeholders to determine business needs, and document those as firewall permit rules. This requires a lot of soft skill negotiation in tandem with other activities.
- Study the high traffic flows, validate that they are aligned with business needs, and permit them explicitly
- Study the low frequency network flows and see if they align with business needs; if not, block them
- Get access to a blacklist with known bad actors; alarm or block these (this is a good step to use to feed to stakeholders
In each case, when you think you've identified a bad flow, run it as an alarm until you can get stakeholders to agree that it is not aligned with business needs.
Depending on how close you are to your management, I'd measure each of these steps and advertise the results. Measure the bandwidth through your permit rules and your deny rules and let management know that you've preserved teh value of X MB (and at the current price of bandwidth, that's $) And you've denied Y MB of traffic (at the current price, that's $. I'd probably also include that I'm studying ZMB of traffic. Ultimately your work is blocking attack, preserving network for legitimate uses, and significantly advancing the state of the company's continuity of operations, disaster recover and devolution plans.