[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Network Segmentation Approaches

Subject: Network Segmentation Approaches
From: rsk at gsp.org (Rich Kulawiec)
Date: Tue, 5 May 2015 07:34:45 -0400
In-reply-to: <[email protected]>
References: <[email protected]>

On Mon, May 04, 2015 at 07:55:43PM -0700, nanog1 at roadrunner.com wrote:
> Possibly a bit off-topic, but curious how all of you out there segment
> your networks.  [snip]

I break them up by function and (when necessary) by the topology
enforced by geography.  The first rule in every firewall is of
course "deny all" and subsequent rulesets permit only the traffic
that is necessary.  Determing what's necessary is done via a number
of tools: tcpdump, ntop, argus, nmap, etc.  When possible, rate-limiting
is imposed based on a multiplier of observed maxima.  Performance
tuning is done after functionality and is usually pretty limited:
modern efficient firewalls (e.g., pf/OpenBSD) can shovel a lot of
traffic even on modest hardware.

---rsk

Follow-Ups:
- Network Segmentation Approaches
  - From: marka at isc.org (Mark Andrews)

References:
- Network Segmentation Approaches
  - From: nanog1 at roadrunner.com (nanog1 at roadrunner.com)

Prev by Date: IP DSCP across the Internet
Next by Date: Google IPv6 geo location problem
Previous by thread: Network Segmentation Approaches
Next by thread: Network Segmentation Approaches
Index(es):
- Date
- Thread