[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Network Segmentation Approaches

Subject: Network Segmentation Approaches
From: gleduc at mail.sdsu.edu (Gene LeDuc)
Date: Tue, 05 May 2015 16:58:19 -0700
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]> <[email protected]>

On 5/5/2015 4:34 PM, Mark Andrews wrote:
> In message <20150505113445.GB24399 at gsp.org>, Rich Kulawiec writes:
>> I break them up by function and (when necessary) by the topology
>> enforced by geography.  The first rule in every firewall is of
>> course "deny all" and subsequent rulesets permit only the traffic
>> that is necessary.
>
> Deny all really isn't needed with modern machines but that is a matter of
> policy.

The firewalls I've worked with don't log denies if they are due to an 
implicit deny-all at the end of the policy.  I always put one in at the 
end to make sure that the attempt is logged.

Gene

References:
- Network Segmentation Approaches
  - From: nanog1 at roadrunner.com (nanog1 at roadrunner.com)
- Network Segmentation Approaches
  - From: rsk at gsp.org (Rich Kulawiec)
- Network Segmentation Approaches
  - From: marka at isc.org (Mark Andrews)

Prev by Date: Google IPv6 geo location problem
Next by Date: IP DSCP across the Internet
Previous by thread: Network Segmentation Approaches
Next by thread: Network Segmentation Approaches
Index(es):
- Date
- Thread