Network Segmentation Approaches

Rich Kulawiec rsk at
Wed May 6 23:05:59 UTC 2015

On Wed, May 06, 2015 at 03:30:01PM -0700, Scott Weeks wrote:
> --- rsk at wrote:
> From: Rich Kulawiec <rsk at>
> The first rule in every firewall is of course 
> "deny all" and subsequent rulesets permit only 
> the traffic that is necessary.  
> ------------------------------------
> I think you got this backward?  That way all 
> traffic is blocked, so none is allowed through.  

Nope, I said exactly what I intended (and what I do, in practice).
Doing so forces one to understand in detail what traffic actually
needs to pass in/out and to craft specific rules for it.  This in
turn helps avoid making mistake #1:

	The Six Dumbest Ideas in Computer Security


More information about the NANOG mailing list