nanog mailing list archives
Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time...
From: Valdis.Kletnieks () vt edu
Date: Mon, 14 Nov 2011 16:10:32 -0500
On Mon, 14 Nov 2011 15:55:14 EST, Jay Ashworth said:
On the other hand, since a firewall's job is to stop packets you don't want,
One of Marcus Ranum's "5 Stupidest Security Blunders" - "enumerating badness". A firewall's job isn't to stop unwanted packets, it's to pass only wanted packets.
if it stops doing it's just as a firewall, it's likely to keep on doing it's other job: passing packets.
As a result, a firewall that fails open rather than closed is mis-designed. And if you're deploying a firewall and don't know if the failure mode is open or closed, you probably get what you deserve when it fails.
Attachment:
_bin
Description:
Current thread:
- Ok; let's have the "Does DNAT contribute to Security" argument one more time... Jay Ashworth (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Valdis . Kletnieks (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Jay Ashworth (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Michael Painter (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Jay Ashworth (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Rubens Kuhl (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... -Hammer- (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Michael Hallgren (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Mark Andrews (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Lyndon Nerenberg (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... William Herrin (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Valdis . Kletnieks (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Valdis . Kletnieks (Nov 14)