nanog mailing list archives

Re: Network Segmentation Approaches

From: Rich Kulawiec <rsk () gsp org>
Date: Wed, 6 May 2015 19:05:59 -0400

On Wed, May 06, 2015 at 03:30:01PM -0700, Scott Weeks wrote:

--- rsk () gsp org wrote:
From: Rich Kulawiec <rsk () gsp org>

The first rule in every firewall is of course 
"deny all" and subsequent rulesets permit only 
the traffic that is necessary.  
------------------------------------

I think you got this backward?  That way all 
traffic is blocked, so none is allowed through.


Nope, I said exactly what I intended (and what I do, in practice).
Doing so forces one to understand in detail what traffic actually
needs to pass in/out and to craft specific rules for it.  This in
turn helps avoid making mistake #1:

        The Six Dumbest Ideas in Computer Security
        http://www.ranum.com/security/computer_security/editorials/dumb/

---rsk

Current thread:

Re: Network Segmentation Approaches, (continued)
- Re: Network Segmentation Approaches Rich Kulawiec (May 05)
  - Re: Network Segmentation Approaches Mark Andrews (May 05)
    - Re: Network Segmentation Approaches Gene LeDuc (May 05)
- Re: Network Segmentation Approaches Jimmy Hess (May 05)
- Re: Network Segmentation Approaches Stephen Satchell (May 05)
  - Re: Network Segmentation Approaches charles (May 06)
    - Re: Network Segmentation Approaches Christopher Morrow (May 06)
- RE: Network Segmentation Approaches Keith Medcalf (May 05)
  - Re: Network Segmentation Approaches Joel Maslak (May 05)
- Re: Network Segmentation Approaches Scott Weeks (May 06)
  - Re: Network Segmentation Approaches Rich Kulawiec (May 06)
  - Re: Network Segmentation Approaches Andrew Jones (May 06)
- Re: Network Segmentation Approaches Scott Weeks (May 06)
  - Re: Network Segmentation Approaches Rich Kulawiec (May 07)
    - [no subject] Jimmy Hess via NANOG (May 07)
- Re: Network Segmentation Approaches Scott Weeks (May 06)