nanog mailing list archives
Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time...
From: Jay Ashworth <jra () baylink com>
Date: Mon, 14 Nov 2011 16:53:16 -0500 (EST)
----- Original Message -----
From: "Valdis Kletnieks" <Valdis.Kletnieks () vt edu>
On the other hand, since a firewall's job is to stop packets you don't want,One of Marcus Ranum's "5 Stupidest Security Blunders" - "enumerating badness". A firewall's job isn't to stop unwanted packets, it's to pass only wanted packets.
From 30,000ft those are equivalent.
When you get down below 5000ft, it starts to matter which approach you take to it. There are lots and lots of people, though, whose exposure to firewalls is "a set of rules you drop over a router" -- in consequence of which there are a lot of *firewalls* that are designed that way. You're correct in implying that that's strategically bad, but both components of that paragraph impact the issue.
if it stops doing it's just as a firewall, it's likely to keep on doing it's other job: passing packets.As a result, a firewall that fails open rather than closed is mis-designed. And if you're deploying a firewall and don't know if the failure mode is open or closed, you probably get what you deserve when it fails.
Can't argue with that at all. Cheers, -- jra -- Jay R. Ashworth Baylink jra () baylink com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Current thread:
- Ok; let's have the "Does DNAT contribute to Security" argument one more time... Jay Ashworth (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Valdis . Kletnieks (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Jay Ashworth (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Michael Painter (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Jay Ashworth (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Rubens Kuhl (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... -Hammer- (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Michael Hallgren (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Mark Andrews (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Lyndon Nerenberg (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... William Herrin (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Valdis . Kletnieks (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Cameron Byrne (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Valdis . Kletnieks (Nov 14)