nanog mailing list archives

Re: Have they stopped teaching Defense in Depth?

From: Owen DeLong <owen () delong com>
Date: Wed, 16 Nov 2011 08:11:29 -0800


On Nov 15, 2011, at 2:01 PM, William Herrin wrote:

On Tue, Nov 15, 2011 at 4:50 PM, Mark Andrews <marka () isc org> wrote:

If you want to use unroutable addresses then use a bastion host /
proxy.  Don't expect to be able to open a TCP socket and have it
connect to something on the outside.  Do it right or don't do it
at all.


Mark,

What is a modern NAT but a bastion host proxy for which application
compatibility has been maximized?


It is a mechanism for header mutilation which creates additional costs
in hardware (cost of routers), software (development of NAT traversal
code in various applications, NAT software in some cases), security
(NAT obfuscates audit trails and increases the difficulty and cost of
event correlation, forensics, abuser identification, and attack source
identification and mitigation, etc.).

Owen

Current thread:

Re: Arguing against using public IP space, (continued)
- - - Re: Arguing against using public IP space Cameron Byrne (Nov 13)
    - Re: Arguing against using public IP space Robert Bonomi (Nov 13)
    - Re: Arguing against using public IP space Jay Ashworth (Nov 13)
    - Re: Arguing against using public IP space Jeroen van Aart (Nov 14)
    - Re: Arguing against using public IP space William Herrin (Nov 15)
    - Re: Arguing against using public IP space Michael Sinatra (Nov 15)
    - Re: Arguing against using public IP space Owen DeLong (Nov 15)
    - Have they stopped teaching Defense in Depth? Jay Ashworth (Nov 15)
    - Re: Have they stopped teaching Defense in Depth? Mark Andrews (Nov 15)
    - Re: Have they stopped teaching Defense in Depth? William Herrin (Nov 15)
    - Re: Have they stopped teaching Defense in Depth? Owen DeLong (Nov 16)
    - RE: Have they stopped teaching Defense in Depth? Jamie Bowden (Nov 16)
    - Re: Have they stopped teaching Defense in Depth? Owen DeLong (Nov 16)
    - Re: Have they stopped teaching Defense in Depth? William Herrin (Nov 16)
    - Re: Have they stopped teaching Defense in Depth? Owen DeLong (Nov 16)
    - Re: Have they stopped teaching Defense in Depth? Jimmy Hess (Nov 16)
    - Re: Have they stopped teaching Defense in Depth? Jay Ashworth (Nov 16)
    - RE: Have they stopped teaching Defense in Depth? Leigh Porter (Nov 16)
    - Re: Have they stopped teaching Defense in Depth? Valdis . Kletnieks (Nov 16)
    - RE: Have they stopped teaching Defense in Depth? Jamie Bowden (Nov 16)
- Re: Arguing against using public IP space Dobbins, Roland (Nov 13)

(Thread continues...)