nanog mailing list archives
Re: Network Segmentation Approaches
From: "Scott Weeks" <surfer () mauigateway com>
Date: Wed, 6 May 2015 17:58:31 -0700
From: Rich Kulawiec <rsk () gsp org> On Wed, May 06, 2015 at 03:30:01PM -0700, Scott Weeks wrote:
From: Rich Kulawiec <rsk () gsp org> The first rule in every firewall is of course "deny all" and subsequent rulesets permit only the traffic that is necessary. ------------------------------------ I think you got this backward? That way all traffic is blocked, so none is allowed through.
Nope, I said exactly what I intended (and what I do, in practice). Doing so forces one to understand in detail what traffic actually needs to pass in/out and to craft specific rules for it. This in turn helps avoid making mistake #1: The Six Dumbest Ideas in Computer Security http://www.ranum.com/security/computer_security/editorials/dumb/ ----------------------------------------------------- After reading your emails all these years, I figured you meant it the way you wrote it. When you wrote "...subsequent rulesets permit only the traffic that is necessary" I misunderstood and thought you meant rules put in after the default deny, which are useless. But by subsequent rulesets you meant rule sets put in later in time and above the deny all not after the deny all. Small confusion over wording... :-) scott
Current thread:
- Re: Network Segmentation Approaches, (continued)
- Re: Network Segmentation Approaches Gene LeDuc (May 05)
- Re: Network Segmentation Approaches Jimmy Hess (May 05)
- Re: Network Segmentation Approaches Stephen Satchell (May 05)
- Re: Network Segmentation Approaches charles (May 06)
- Re: Network Segmentation Approaches Christopher Morrow (May 06)
- Re: Network Segmentation Approaches charles (May 06)
- RE: Network Segmentation Approaches Keith Medcalf (May 05)
- Re: Network Segmentation Approaches Joel Maslak (May 05)
- Re: Network Segmentation Approaches Scott Weeks (May 06)
- Re: Network Segmentation Approaches Rich Kulawiec (May 06)
- Re: Network Segmentation Approaches Andrew Jones (May 06)
- Re: Network Segmentation Approaches Scott Weeks (May 06)
- Re: Network Segmentation Approaches Rich Kulawiec (May 07)
- [no subject] Jimmy Hess via NANOG (May 07)
- Re: Network Segmentation Approaches Rich Kulawiec (May 07)
- Re: Network Segmentation Approaches Scott Weeks (May 06)