Network Segmentation Approaches
marka at isc.org
Tue May 5 23:34:45 UTC 2015
In message <20150505113445.GB24399 at gsp.org>, Rich Kulawiec writes:
> On Mon, May 04, 2015 at 07:55:43PM -0700, nanog1 at roadrunner.com wrote:
> > Possibly a bit off-topic, but curious how all of you out there segment
> > your networks. [snip]
> I break them up by function and (when necessary) by the topology
> enforced by geography. The first rule in every firewall is of
> course "deny all" and subsequent rulesets permit only the traffic
> that is necessary.
The first rule of every firewall should be to enforce BCP 38 out bound.
Deny all really isn't needed with modern machines but that is a matter of
> Determing what's necessary is done via a number
> of tools: tcpdump, ntop, argus, nmap, etc. When possible, rate-limiting
> is imposed based on a multiplier of observed maxima. Performance
> tuning is done after functionality and is usually pretty limited:
> modern efficient firewalls (e.g., pf/OpenBSD) can shovel a lot of
> traffic even on modest hardware.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG