I don't need no stinking firewall!
herrin-nanog at dirtside.com
Wed Jan 6 01:45:17 CST 2010
On Tue, Jan 5, 2010 at 9:20 PM, Rich Kulawiec <rsk at gsp.org> wrote:
> A firewall is another layer in a defense-in-depth strategy, but tends
> to only be truly effective if the first rule in it is
> deny all from any to any
Not surprisingly, good network security starts with and incorporates
the protected users as its most important element. Start with "deny
all" and not only won't they work with you, the more creative among
them will teach the others how to work around you.
I've seen it over and over again and the faulty design always starts
with a deny-all mentality.
Can you imagine a deny-all mentality in physical security? I'm sorry
sir, you can't leave your house until you justify your need to walk
down the street.
William D. Herrin ................ herrin at dirtside.com bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
More information about the NANOG