I am replacing my PIX with a new ASA. When my PIX was deployed I used a consultant to get it online quickly. Later I realized he used a lot of wild cards in the config. (any to any) Since the initial deployment I cleaned a lot of them up. Here is my question. I have always used the guideline the firewall should be very secure. No traffic should be able to pass out or in unless I allow it. There are some "any to any" ACL's in for services like DNS and some others. I like to use "object-groups" in my config and group my networks and hosts. This will ultimately make the config bigger and thus create more processing power on the ASA. Am I right to use the "object-group" for these types of services or am I just over thinking this?