Network Segmentation Approaches

• Previous message (by thread): Network Segmentation Approaches
• Next message (by thread): Network Segmentation Approaches
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, May 04, 2015 at 07:55:43PM -0700, nanog1 at roadrunner.com wrote:
> Possibly a bit off-topic, but curious how all of you out there segment
> your networks.  [snip]

I break them up by function and (when necessary) by the topology
enforced by geography.  The first rule in every firewall is of
course "deny all" and subsequent rulesets permit only the traffic
that is necessary.  Determing what's necessary is done via a number
of tools: tcpdump, ntop, argus, nmap, etc.  When possible, rate-limiting
is imposed based on a multiplier of observed maxima.  Performance
tuning is done after functionality and is usually pretty limited:
modern efficient firewalls (e.g., pf/OpenBSD) can shovel a lot of
traffic even on modest hardware.

---rsk

• Previous message (by thread): Network Segmentation Approaches
• Next message (by thread): Network Segmentation Approaches
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]