[179757] in North American Network Operators' Group
Re: Network Segmentation Approaches
daemon@ATHENA.MIT.EDU (Rich Kulawiec)
Wed May 6 19:06:03 2015
X-Original-To: nanog@nanog.org
Date: Wed, 6 May 2015 19:05:59 -0400
From: Rich Kulawiec <rsk@gsp.org>
To: nanog@nanog.org
In-Reply-To: <20150506153001.C491D9D8@m0048141.ppops.net>
Errors-To: nanog-bounces@nanog.org
On Wed, May 06, 2015 at 03:30:01PM -0700, Scott Weeks wrote:
> --- rsk@gsp.org wrote:
> From: Rich Kulawiec <rsk@gsp.org>
>
> The first rule in every firewall is of course
> "deny all" and subsequent rulesets permit only
> the traffic that is necessary.
> ------------------------------------
>
> I think you got this backward? That way all
> traffic is blocked, so none is allowed through.
Nope, I said exactly what I intended (and what I do, in practice).
Doing so forces one to understand in detail what traffic actually
needs to pass in/out and to craft specific rules for it. This in
turn helps avoid making mistake #1:
The Six Dumbest Ideas in Computer Security
http://www.ranum.com/security/computer_security/editorials/dumb/
---rsk
