In message <20150505113445.gb24...@gsp.org>, Rich Kulawiec writes: > On Mon, May 04, 2015 at 07:55:43PM -0700, nan...@roadrunner.com wrote: > > Possibly a bit off-topic, but curious how all of you out there segment > > your networks. [snip] > > I break them up by function and (when necessary) by the topology > enforced by geography. The first rule in every firewall is of > course "deny all" and subsequent rulesets permit only the traffic > that is necessary.
The first rule of every firewall should be to enforce BCP 38 out bound. Deny all really isn't needed with modern machines but that is a matter of policy. > Determing what's necessary is done via a number > of tools: tcpdump, ntop, argus, nmap, etc. When possible, rate-limiting > is imposed based on a multiplier of observed maxima. Performance > tuning is done after functionality and is usually pretty limited: > modern efficient firewalls (e.g., pf/OpenBSD) can shovel a lot of > traffic even on modest hardware. > > ---rsk > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
