Network Segmentation Approaches
gleduc at mail.sdsu.edu
Tue May 5 23:58:19 UTC 2015
On 5/5/2015 4:34 PM, Mark Andrews wrote:
> In message <20150505113445.GB24399 at gsp.org>, Rich Kulawiec writes:
>> I break them up by function and (when necessary) by the topology
>> enforced by geography. The first rule in every firewall is of
>> course "deny all" and subsequent rulesets permit only the traffic
>> that is necessary.
> Deny all really isn't needed with modern machines but that is a matter of
The firewalls I've worked with don't log denies if they are due to an
implicit deny-all at the end of the policy. I always put one in at the
end to make sure that the attempt is logged.
More information about the NANOG