nanog mailing list archives
[no subject]
From: Jimmy Hess via NANOG <nanog () nanog org>
Date: Thu, 7 May 2015 23:39:32 +0000 (UTC)
--- Begin Message --- From: Jimmy Hess <mysidia () gmail com>
Date: Thu, 7 May 2015 18:39:09 -0500
On Thu, May 7, 2015 at 7:12 AM, Rich Kulawiec <rsk () gsp org> wrote:Ah...got it, this was sloppy phrasing on my part. I meant "first" in the sense of "first rule that one should write". Depending onSecurity best practice to always have an active "cleanup" rule for every traffic direction applicable to every pair of zones (or interfaces) with a default DROP, to catch traffic matching no accept rule. In practice... however.... in the real world, many firewalls get configured with this only in the INBOUND direction (Default deny Write packet to Higher integrity level zone from lower level security zone), and Default Accept for packet from more secure zone to less secure zone, Since this has superior usability and is lower maintenance. And for client devices, in a low security environment: with just a simple Layer4 stateful inspection firewall, this is probably the right solution. "Permit only traffic that is necessary" Only works out if you are able to rigidly define what exactly that traffic is in advance. Which is feasible to do for servers and other single-purpose devices, but very expensive to do for clients, at least without a firewall aware of the communications at the application layer that can look at those UDP connections and say "OKAY, This is skype... allow it", Or... "This connection going out on port 80.. it's not a valid HTTP request, Drop the connection now and cache a rule to Deny further connections to that IP:Port number pair.".the firewall type/implementation, that might be the rule that's lexically first or last (or maybe somewhere else). ---rsk-- -JH
--- End Message ---
Current thread:
- Re: Network Segmentation Approaches, (continued)
- Re: Network Segmentation Approaches Stephen Satchell (May 05)
- Re: Network Segmentation Approaches charles (May 06)
- Re: Network Segmentation Approaches Christopher Morrow (May 06)
- Re: Network Segmentation Approaches charles (May 06)
- RE: Network Segmentation Approaches Keith Medcalf (May 05)
- Re: Network Segmentation Approaches Joel Maslak (May 05)
- Re: Network Segmentation Approaches Scott Weeks (May 06)
- Re: Network Segmentation Approaches Rich Kulawiec (May 06)
- Re: Network Segmentation Approaches Andrew Jones (May 06)
- Re: Network Segmentation Approaches Scott Weeks (May 06)
- Re: Network Segmentation Approaches Rich Kulawiec (May 07)
- [no subject] Jimmy Hess via NANOG (May 07)
- Re: Network Segmentation Approaches Rich Kulawiec (May 07)
- Re: Network Segmentation Approaches Scott Weeks (May 06)
- Re: Network Segmentation Approaches Stephen Satchell (May 05)