Re: misunderstanding scale

[William Herrin <bill () herrin us>]

On Mon, Mar 24, 2014 at 9:25 AM, Joe Greco <jgreco () ns sol net> wrote:
> > I say this with the utmost respect, but you must understand the
> > principle of defense in depth in order to make competent security
> > decisions for your organization. Smart people disagree on the details
> > but the principle is not only iron clad, it applies to all forms of
> > security, not just IP network security.
>
> The problem here is that what's actually going on is that you're now
> enshrining as a "security" device a hacky, ill-conceived workaround
> for a lack of flexibility/space/etc in IPv4.  NAT was not designed
> to act as a security feature.

Hi Joe,

That would be one of those "details" on which smart people disagree.
In this case, I think you're wrong. Modern NAT superseded the
transparent proxies and bastion hosts of the '90s because it does the
same security job a little more smoothly. And proxies WERE designed to
act as a security feature.


> > You'd expect folks to give up two layers of security at exactly the
> > same time as they're absorbing a new network protocol with which
> > they're yet unskilled? Does that make sense to you from a
> > risk-management standpoint?
>
> Actually, yes, it does.  Using the product as intended is substantially
> less risky than trying to figure out how to use some sort of proxy or
> gateway functionality to emulate NAT, and then screwing that up.

What sort of traction are you getting from that argument when you
speak with enterprise security folks?

Regards,
Bill Herrin



-- 
William D. Herrin ................ herrin () dirtside com  bill () herrin us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004