Re: Network Segmentation Approaches

[Mark Andrews <marka () isc org>]

In message <20150505113445.GB24399 () gsp org>, Rich Kulawiec writes:
> On Mon, May 04, 2015 at 07:55:43PM -0700, nanog1 () roadrunner com wrote:
> > Possibly a bit off-topic, but curious how all of you out there segment
> > your networks.  [snip]
>
> I break them up by function and (when necessary) by the topology
> enforced by geography.  The first rule in every firewall is of
> course "deny all" and subsequent rulesets permit only the traffic
> that is necessary.

The first rule of every firewall should be to enforce BCP 38 out bound.

Deny all really isn't needed with modern machines but that is a matter of
policy.

> Determing what's necessary is done via a number
> of tools: tcpdump, ntop, argus, nmap, etc.  When possible, rate-limiting
> is imposed based on a multiplier of observed maxima.  Performance
> tuning is done after functionality and is usually pretty limited:
> modern efficient firewalls (e.g., pf/OpenBSD) can shovel a lot of
> traffic even on modest hardware.
>
> ---rsk
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org