Customer-facing ACLs

• Previous message (by thread): Customer-facing ACLs
• Next message (by thread): Customer-facing ACLs
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---------- sean at donelan.com wrote: ----------
On Mon, 10 Mar 2008, Scott Weeks wrote:

> The hard part is I now always take over networks that have been in 
> operation a long time and enabling these policies can be very painful 
> after the fact.  Establishing them when the network is new is a 
> different story.

Whatever you decide, whether you know what the policies are or not, there
are always have a set of default network policies.

The question is do you explain to you customers just as carefully what
your default policy doesn't do, as well as what it does.  Do you take
just as much time to carefully explain the risks and what may break to 
your customers of allowing that traffic as you would of not allowing that 
traffic.

It seems to be very painful whatever decision is made.
-------------------------------------------------



The default policy is we allow eveything.  It takes no explaining.  

I understand the port 25 issue and am reconsidering it for dynamic addresses on outbound traffic, but at least one person on NANOG showed me a use of that.  Like network engineers at many other companies, I'm spread so thin that it's hard to find the time to do work like this and I keep putting it on the back burner.  VZ had it completely open and I have followed that as we seperated this network from their network, as I can't take on the extra work of fixing brokenness that would result from applying the filter.

scott

• Previous message (by thread): Customer-facing ACLs
• Next message (by thread): Customer-facing ACLs
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]