nanog mailing list archives

Re: Arguing against using public IP space

From: Joe Greco <jgreco () ns sol net>
Date: Tue, 15 Nov 2011 11:54:45 -0600 (CST)

On Nov 15, 2011, at 7:54 AM, Joe Greco wrote:

If you put a router where you needed a firewall, then, this is not a =
failure of the firewall, but, a
failure of the network implementor and the address space will not have =
any impact whatsoever
on your lack of security.


And the difference between a router and a firewall is ...?

Apparently, one bit.


IMHO, a firewall does not route packets by default, but, rather only forwards
those packets which match configured policies.

A router, OTOH, routes packets by default, but, may be configured with some
policy about which packets to forward.

The difference functionally is what happens when the configuration is
lost or corrupted. Essentially fail open vs. fail closed.


1 vs 0.  As I said... one bit.

Understanding this fundamental truth is helpful in understanding why
people use "routers" as "firewalls" and "firewalls" as "routers".
Because they're basically the same thing, with a one bit difference.

And some products, say like FreeBSD (which forms the heart of things
like pfSense, so let's not even begin to argue that it "isn't a
firewall") can actually be configured to default either way.  

So basically, while we would all prefer that firewalls default to deny,
it probably isn't as important a distinction as this thread is making
it out to be, because even a "default to deny" firewall fails when a
naive admin makes a typo and allows all traffic from 0/0 inadvertently.
It's just a matter of statistical likelihood.

Or perhaps a better argument would be that routers really ought to
default to deny.  :-)  I'd be fine with that, but I can hear the
screaming already.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

Current thread:

Re: Arguing against using public IP space, (continued)
- - - Re: Arguing against using public IP space Valdis . Kletnieks (Nov 15)
    - Re: Arguing against using public IP space William Herrin (Nov 15)
    - Re: Arguing against using public IP space -Hammer- (Nov 15)
    - Re: Arguing against using public IP space Cameron Byrne (Nov 15)
    - Re: Arguing against using public IP space -Hammer- (Nov 15)
    - Re: Arguing against using public IP space Valdis . Kletnieks (Nov 15)
    - Re: Arguing against using public IP space Jay Ashworth (Nov 15)
    - Re: Arguing against using public IP space Owen DeLong (Nov 15)
    - Re: Arguing against using public IP space Joe Greco (Nov 15)
    - Re: Arguing against using public IP space Owen DeLong (Nov 15)
    - Re: Arguing against using public IP space Joe Greco (Nov 15)
    - Re: Arguing against using public IP space david raistrick (Nov 15)
    - Re: Arguing against using public IP space Joe Greco (Nov 15)
    - Re: Arguing against using public IP space Jay Ashworth (Nov 15)
    - Re: Arguing against using public IP space Joe Greco (Nov 15)
    - Re: Arguing against using public IP space Leigh Porter (Nov 15)
    - Re: Arguing against using public IP space Owen DeLong (Nov 15)
    - Re: Arguing against using public IP space Jay Ashworth (Nov 15)
    - Re: Arguing against using public IP space Mark Andrews (Nov 15)
    - Re: Arguing against using public IP space Karl Auer (Nov 15)
    - Re: Arguing against using public IP space Owen DeLong (Nov 16)

(Thread continues...)