nanog mailing list archives
Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time...
From: Cameron Byrne <cb.list6 () gmail com>
Date: Mon, 14 Nov 2011 21:41:25 -0800
On Nov 14, 2011 9:22 PM, <Valdis.Kletnieks () vt edu> wrote:
On Mon, 14 Nov 2011 19:06:13 EST, William Herrin said:Using two firewalls in serial from two different vendors doubles the complexity. Yet it almost always improves security: fat fingers on one firewall rarely repeat the same way on the second and a rogue packet must pass both.
Complexity equals downtime. I know at least one definition of security includes availability .
Fat fingers are actually not the biggest issue - a far bigger problem are
brain
failures. If you thought opening port 197 was a good idea, you will have
done
it on both firewalls. And it doesn't even help to run automated config checkers - because you'll have marked port 197 as "good" in there as
well. ;)
And it doesn't even help with fat-finger issues anyhow, because you
*know* that
if your firewall admin is any good, they'll just write a script that
loads both
firewalls from a master config file - and then proceed to fat-finger said config file.
And, stateful firewalls are a very common dos vector. Attacking firewall sessions per second capacity and blowing up a session table can bring a service down real quick. Furthermore, firewalls are frequently installed at a choke point ... Which makes them a topological single point of failure.... So, they are deployed in pairs .... And therefore have a nice cascading failure behavior when hit with a dos. Cb
Current thread:
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time..., (continued)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Jay Ashworth (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Michael Painter (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Jay Ashworth (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Rubens Kuhl (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... -Hammer- (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Michael Hallgren (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Mark Andrews (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Lyndon Nerenberg (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... William Herrin (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Valdis . Kletnieks (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Cameron Byrne (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... -Hammer- (Nov 15)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Charles Morris (Nov 15)