nanog mailing list archives
Re: Network Segmentation Approaches
From: Gene LeDuc <gleduc () mail sdsu edu>
Date: Tue, 05 May 2015 16:58:19 -0700
On 5/5/2015 4:34 PM, Mark Andrews wrote:
In message <20150505113445.GB24399 () gsp org>, Rich Kulawiec writes:I break them up by function and (when necessary) by the topology enforced by geography. The first rule in every firewall is of course "deny all" and subsequent rulesets permit only the traffic that is necessary.Deny all really isn't needed with modern machines but that is a matter of policy.
The firewalls I've worked with don't log denies if they are due to an implicit deny-all at the end of the policy. I always put one in at the end to make sure that the attempt is logged.
Gene
Current thread:
- Network Segmentation Approaches nanog1 (May 04)
- Re: Network Segmentation Approaches Rich Kulawiec (May 05)
- Re: Network Segmentation Approaches Mark Andrews (May 05)
- Re: Network Segmentation Approaches Gene LeDuc (May 05)
- Re: Network Segmentation Approaches Mark Andrews (May 05)
- Re: Network Segmentation Approaches Jimmy Hess (May 05)
- Re: Network Segmentation Approaches Stephen Satchell (May 05)
- Re: Network Segmentation Approaches charles (May 06)
- Re: Network Segmentation Approaches Christopher Morrow (May 06)
- Re: Network Segmentation Approaches charles (May 06)
- RE: Network Segmentation Approaches Keith Medcalf (May 05)
- Re: Network Segmentation Approaches Joel Maslak (May 05)
- <Possible follow-ups>
- Re: Network Segmentation Approaches Scott Weeks (May 06)
- Re: Network Segmentation Approaches Rich Kulawiec (May 06)
- Re: Network Segmentation Approaches Andrew Jones (May 06)
- Re: Network Segmentation Approaches Scott Weeks (May 06)
(Thread continues...)
- Re: Network Segmentation Approaches Rich Kulawiec (May 05)