[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Network Segmentation Approaches
In message <20150505113445.GB24399 at gsp.org>, Rich Kulawiec writes:
> On Mon, May 04, 2015 at 07:55:43PM -0700, nanog1 at roadrunner.com wrote:
> > Possibly a bit off-topic, but curious how all of you out there segment
> > your networks. [snip]
>
> I break them up by function and (when necessary) by the topology
> enforced by geography. The first rule in every firewall is of
> course "deny all" and subsequent rulesets permit only the traffic
> that is necessary.
The first rule of every firewall should be to enforce BCP 38 out bound.
Deny all really isn't needed with modern machines but that is a matter of
policy.
> Determing what's necessary is done via a number
> of tools: tcpdump, ntop, argus, nmap, etc. When possible, rate-limiting
> is imposed based on a multiplier of observed maxima. Performance
> tuning is done after functionality and is usually pretty limited:
> modern efficient firewalls (e.g., pf/OpenBSD) can shovel a lot of
> traffic even on modest hardware.
>
> ---rsk
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org