Network Segmentation Approaches

Mark Andrews marka at
Tue May 5 23:34:45 UTC 2015

In message <20150505113445.GB24399 at>, Rich Kulawiec writes:
> On Mon, May 04, 2015 at 07:55:43PM -0700, nanog1 at wrote:
> > Possibly a bit off-topic, but curious how all of you out there segment
> > your networks.  [snip]
> I break them up by function and (when necessary) by the topology
> enforced by geography.  The first rule in every firewall is of
> course "deny all" and subsequent rulesets permit only the traffic
> that is necessary.

The first rule of every firewall should be to enforce BCP 38 out bound.

Deny all really isn't needed with modern machines but that is a matter of

> Determing what's necessary is done via a number
> of tools: tcpdump, ntop, argus, nmap, etc.  When possible, rate-limiting
> is imposed based on a multiplier of observed maxima.  Performance
> tuning is done after functionality and is usually pretty limited:
> modern efficient firewalls (e.g., pf/OpenBSD) can shovel a lot of
> traffic even on modest hardware.
> ---rsk
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the NANOG mailing list