nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time...

From: Valdis.Kletnieks () vt edu
Date: Mon, 14 Nov 2011 16:10:32 -0500
On Mon, 14 Nov 2011 15:55:14 EST, Jay Ashworth said:


On the other hand, since a firewall's job is to stop packets you don't want,


One of Marcus Ranum's "5 Stupidest Security Blunders" - "enumerating badness".
A firewall's job isn't to stop unwanted packets, it's to pass only wanted packets.


if it stops doing it's just as a firewall, it's likely to keep on doing it's
other job: passing packets.


As a result, a firewall that fails open rather than closed is mis-designed.

And if you're deploying a firewall and don't know if the failure mode is open or
closed, you probably get what you deserve when it fails.

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: