nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time...

From: Jay Ashworth <jra () baylink com>
Date: Mon, 14 Nov 2011 16:53:16 -0500 (EST)
----- Original Message -----

From: "Valdis Kletnieks" <Valdis.Kletnieks () vt edu>



On the other hand, since a firewall's job is to stop packets you
don't want,


One of Marcus Ranum's "5 Stupidest Security Blunders" - "enumerating
badness".
A firewall's job isn't to stop unwanted packets, it's to pass only
wanted packets.



From 30,000ft those are equivalent. 


When you get down below 5000ft, it starts to matter which approach you
take to it.

There are lots and lots of people, though, whose exposure to firewalls is
"a set of rules you drop over a router" -- in consequence of which there are
a lot of *firewalls* that are designed that way.

You're correct in implying that that's strategically bad, but both components
of that paragraph impact the issue.


if it stops doing it's just as a firewall, it's likely to keep on
doing it's other job: passing packets.


As a result, a firewall that fails open rather than closed is
mis-designed.

And if you're deploying a firewall and don't know if the failure mode
is open or closed, you probably get what you deserve when it fails.


Can't argue with that at all.

Cheers,
-- jra
-- 
Jay R. Ashworth                  Baylink                       jra () baylink com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA      http://photo.imageinc.us             +1 727 647 1274
Previous By Date Next
Previous By Thread Next

Current thread: