nanog mailing list archives

Re: Arguing against using public IP space

From: Cameron Byrne <cb.list6 () gmail com>
Date: Tue, 15 Nov 2011 07:20:50 -0800

On Nov 15, 2011 7:09 AM, "-Hammer-" <bhmccie () gmail com> wrote:


Guys,
   Everyone is complaining about whether a FW serves its purpose or not.

Take a step back. Security is about layers. Router ACLs to filter
whitenoise. FW ACLs to filter more. L7 (application) FWs to inspect HTTP
payload. Patch management at the OS and Application layer on the server.
Heuristics analyzing strategically placed SPAN feeds. The list goes on
depending upon the size of your enterprise.


I would say security is about stopping threats , not layering in technology
and tools. Granted, layer is a good idea, throwing everything including the
kitchen sink at a problem will result in just a larger problem.

I don't think in a large environment you can avoid "complexity" these

days. What you have to succeed at is managing that complexity. And L3 FWs
have a very important purpose. They filter garbage. You focus your IDS/IPS
on what the FW is allowing. It's more than a screen door. But yes, it's
LESS than a true vault door. It's all about mitigating the risk. You'll
never be 100% full proof.


Large environments have to force simplicity to combat the natural ebb of
complexity.  The largest operators live by one rule , KISS.

L3 network fw are an attack vector and single point of failure.

But, I think this thread is not changing anyone's mind at this point.

-Hammer-

"I was a normal American nerd"
-Jack Herer




On 11/15/2011 08:56 AM, William Herrin wrote:


On Tue, Nov 15, 2011 at 9:17 AM,<Valdis.Kletnieks () vt edu>  wrote:


And this is totally overlooking the fact that the vast majority of

*actual*

attacks these days are web-based drive-bys and similar things that most
firewalls are configured to pass through.


Valdis,

A firewall's job is to prevent the success of ACTIVE attack vectors
against your network. If your firewall successfully restricts
attackers to passive attack vectors (drive-by downloads) and social
engineering vectors then it has done everything reasonably expected of
it. Those other parts of the overall network security picture are
dealt with elsewhere in system security apparatus. So it's no mistake
than in a discussion of firewalls those two attack vectors do not
feature prominently.

Regards,
Bill Herrin

Current thread:

RE: Arguing against using public IP space, (continued)
- - - RE: Arguing against using public IP space McCall, Gabriel (Nov 14)
    - Re: Arguing against using public IP space William Herrin (Nov 14)
    - Re: Arguing against using public IP space Owen DeLong (Nov 15)
    - Re: Arguing against using public IP space Leigh Porter (Nov 15)
    - Re: Arguing against using public IP space Valdis . Kletnieks (Nov 15)
    - RE: Arguing against using public IP space Chuck Church (Nov 15)
    - Re: Arguing against using public IP space Leigh Porter (Nov 15)
    - Re: Arguing against using public IP space Valdis . Kletnieks (Nov 15)
    - Re: Arguing against using public IP space William Herrin (Nov 15)
    - Re: Arguing against using public IP space -Hammer- (Nov 15)
    - Re: Arguing against using public IP space Cameron Byrne (Nov 15)
    - Re: Arguing against using public IP space -Hammer- (Nov 15)
    - Re: Arguing against using public IP space Valdis . Kletnieks (Nov 15)
    - Re: Arguing against using public IP space Jay Ashworth (Nov 15)
    - Re: Arguing against using public IP space Owen DeLong (Nov 15)
    - Re: Arguing against using public IP space Joe Greco (Nov 15)
    - Re: Arguing against using public IP space Owen DeLong (Nov 15)
    - Re: Arguing against using public IP space Joe Greco (Nov 15)
    - Re: Arguing against using public IP space david raistrick (Nov 15)
    - Re: Arguing against using public IP space Joe Greco (Nov 15)
    - Re: Arguing against using public IP space Jay Ashworth (Nov 15)

(Thread continues...)