[179722] in North American Network Operators' Group
Re: Network Segmentation Approaches
daemon@ATHENA.MIT.EDU (Mark Andrews)
Tue May 5 19:34:58 2015
X-Original-To: nanog@nanog.org
To: Rich Kulawiec <rsk@gsp.org>
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Tue, 05 May 2015 07:34:45 -0400."
<20150505113445.GB24399@gsp.org>
Date: Wed, 06 May 2015 09:34:45 +1000
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
In message <20150505113445.GB24399@gsp.org>, Rich Kulawiec writes:
> On Mon, May 04, 2015 at 07:55:43PM -0700, nanog1@roadrunner.com wrote:
> > Possibly a bit off-topic, but curious how all of you out there segment
> > your networks. [snip]
>
> I break them up by function and (when necessary) by the topology
> enforced by geography. The first rule in every firewall is of
> course "deny all" and subsequent rulesets permit only the traffic
> that is necessary.
The first rule of every firewall should be to enforce BCP 38 out bound.
Deny all really isn't needed with modern machines but that is a matter of
policy.
> Determing what's necessary is done via a number
> of tools: tcpdump, ntop, argus, nmap, etc. When possible, rate-limiting
> is imposed based on a multiplier of observed maxima. Performance
> tuning is done after functionality and is usually pretty limited:
> modern efficient firewalls (e.g., pf/OpenBSD) can shovel a lot of
> traffic even on modest hardware.
>
> ---rsk
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
