5 May
2015
5 May
'15
7:34 a.m.
On Mon, May 04, 2015 at 07:55:43PM -0700, nanog1@roadrunner.com wrote:
Possibly a bit off-topic, but curious how all of you out there segment your networks. [snip]
I break them up by function and (when necessary) by the topology enforced by geography. The first rule in every firewall is of course "deny all" and subsequent rulesets permit only the traffic that is necessary. Determing what's necessary is done via a number of tools: tcpdump, ntop, argus, nmap, etc. When possible, rate-limiting is imposed based on a multiplier of observed maxima. Performance tuning is done after functionality and is usually pretty limited: modern efficient firewalls (e.g., pf/OpenBSD) can shovel a lot of traffic even on modest hardware. ---rsk