nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Network Segmentation Approaches

From: "Scott Weeks" <surfer () mauigateway com>
Date: Wed, 6 May 2015 17:58:31 -0700


From: Rich Kulawiec <rsk () gsp org>
On Wed, May 06, 2015 at 03:30:01PM -0700, Scott Weeks wrote:

From: Rich Kulawiec <rsk () gsp org>

The first rule in every firewall is of course 
"deny all" and subsequent rulesets permit only 
the traffic that is necessary.  
------------------------------------

I think you got this backward?  That way all 
traffic is blocked, so none is allowed through.  


Nope, I said exactly what I intended (and what I do, 
in practice).  Doing so forces one to understand in 
detail what traffic actually needs to pass in/out 
and to craft specific rules for it.  This in turn 
helps avoid making mistake #1:

        The Six Dumbest Ideas in Computer Security
        http://www.ranum.com/security/computer_security/editorials/dumb/
-----------------------------------------------------


After reading your emails all these years, I figured 
you meant it the way you wrote it.  When you wrote
"...subsequent rulesets permit only the traffic that 
is necessary" I misunderstood and thought you meant 
rules put in after the default deny, which are useless. 
But by subsequent rulesets you meant rule sets put in 
later in time and above the deny all not after the deny 
all.  Small confusion over wording...  :-)

scott
Previous By Date Next
Previous By Thread Next

Current thread: