Re: Have they stopped teaching Defense in Depth?

[Owen DeLong <owen () delong com>]

On Nov 16, 2011, at 8:43 AM, William Herrin wrote:

> On Wed, Nov 16, 2011 at 11:11 AM, Owen DeLong <owen () delong com> wrote:
> > On Nov 15, 2011, at 2:01 PM, William Herrin wrote:
> > > On Tue, Nov 15, 2011 at 4:50 PM, Mark Andrews <marka () isc org> wrote:
> > > > If you want to use unroutable addresses then use a bastion host /
> > > > proxy.
> > >
> > > What is a modern NAT but a bastion host proxy for which application
> > > compatibility has been maximized?
> >
> > It is a mechanism for header mutilation which creates additional costs
> > in hardware (cost of routers), software (development of NAT traversal
> > code in various applications, NAT software in some cases), security
> > (NAT obfuscates audit trails and increases the difficulty and cost of
> > event correlation, forensics, abuser identification, and attack source
> > identification and mitigation, etc.).
>
> In other words, all of the things a proxy does but without sacrificing
> as many applications.

No, in the proxy case, the sessions internal and sessions external are
separate and the proxy software ties them together.

In the NAT case, the internal and external sessions are one and the 
same, but, the header is mutilated as part of the IP forwarding process.

However, yes, as someone else pointed out, the key difference is that
they suck in different ways.

Owen