Network Segmentation Approaches
Rich Kulawiec
rsk at gsp.org
Wed May 6 23:05:59 UTC 2015
On Wed, May 06, 2015 at 03:30:01PM -0700, Scott Weeks wrote:
> --- rsk at gsp.org wrote:
> From: Rich Kulawiec <rsk at gsp.org>
>
> The first rule in every firewall is of course
> "deny all" and subsequent rulesets permit only
> the traffic that is necessary.
> ------------------------------------
>
> I think you got this backward? That way all
> traffic is blocked, so none is allowed through.
Nope, I said exactly what I intended (and what I do, in practice).
Doing so forces one to understand in detail what traffic actually
needs to pass in/out and to craft specific rules for it. This in
turn helps avoid making mistake #1:
The Six Dumbest Ideas in Computer Security
http://www.ranum.com/security/computer_security/editorials/dumb/
---rsk
More information about the NANOG
mailing list