Network Segmentation Approaches

Gene LeDuc gleduc at mail.sdsu.edu
Tue May 5 23:58:19 UTC 2015


On 5/5/2015 4:34 PM, Mark Andrews wrote:
> In message <20150505113445.GB24399 at gsp.org>, Rich Kulawiec writes:
>> I break them up by function and (when necessary) by the topology
>> enforced by geography.  The first rule in every firewall is of
>> course "deny all" and subsequent rulesets permit only the traffic
>> that is necessary.
>
> Deny all really isn't needed with modern machines but that is a matter of
> policy.

The firewalls I've worked with don't log denies if they are due to an 
implicit deny-all at the end of the policy.  I always put one in at the 
end to make sure that the attempt is logged.

Gene



More information about the NANOG mailing list