I don't need no stinking firewall!

William Herrin herrin-nanog at dirtside.com
Wed Jan 6 07:45:17 UTC 2010

On Tue, Jan 5, 2010 at 9:20 PM, Rich Kulawiec <rsk at gsp.org> wrote:
> A firewall is another layer in a defense-in-depth strategy, but tends
> to only be truly effective if the first rule in it is
>        deny all from any to any

Not surprisingly, good network security starts with and incorporates
the protected users as its most important element. Start with "deny
all" and not only won't they work with you, the more creative among
them will teach the others how to work around you.

I've seen it over and over again and the faulty design always starts
with a deny-all mentality.

Can you imagine a deny-all mentality in physical security? I'm sorry
sir, you can't leave your house until you justify your need to walk
down the street.

Bill Herrin

William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

More information about the NANOG mailing list