nanog mailing list archives
Re: Network Segmentation Approaches
From: Mark Andrews <marka () isc org>
Date: Wed, 06 May 2015 09:34:45 +1000
In message <20150505113445.GB24399 () gsp org>, Rich Kulawiec writes:
On Mon, May 04, 2015 at 07:55:43PM -0700, nanog1 () roadrunner com wrote:Possibly a bit off-topic, but curious how all of you out there segment your networks. [snip]I break them up by function and (when necessary) by the topology enforced by geography. The first rule in every firewall is of course "deny all" and subsequent rulesets permit only the traffic that is necessary.
The first rule of every firewall should be to enforce BCP 38 out bound. Deny all really isn't needed with modern machines but that is a matter of policy.
Determing what's necessary is done via a number of tools: tcpdump, ntop, argus, nmap, etc. When possible, rate-limiting is imposed based on a multiplier of observed maxima. Performance tuning is done after functionality and is usually pretty limited: modern efficient firewalls (e.g., pf/OpenBSD) can shovel a lot of traffic even on modest hardware. ---rsk
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
Current thread:
- Network Segmentation Approaches nanog1 (May 04)
- Re: Network Segmentation Approaches Rich Kulawiec (May 05)
- Re: Network Segmentation Approaches Mark Andrews (May 05)
- Re: Network Segmentation Approaches Gene LeDuc (May 05)
- Re: Network Segmentation Approaches Mark Andrews (May 05)
- Re: Network Segmentation Approaches Jimmy Hess (May 05)
- Re: Network Segmentation Approaches Stephen Satchell (May 05)
- Re: Network Segmentation Approaches charles (May 06)
- Re: Network Segmentation Approaches Christopher Morrow (May 06)
- Re: Network Segmentation Approaches charles (May 06)
- RE: Network Segmentation Approaches Keith Medcalf (May 05)
- Re: Network Segmentation Approaches Joel Maslak (May 05)
- <Possible follow-ups>
- Re: Network Segmentation Approaches Scott Weeks (May 06)
- Re: Network Segmentation Approaches Rich Kulawiec (May 06)
- Re: Network Segmentation Approaches Andrew Jones (May 06)
(Thread continues...)
- Re: Network Segmentation Approaches Rich Kulawiec (May 05)