Re: misunderstanding scale

[Lee Howard <Lee () asgard org>]

On 3/24/14 2:38 PM, "William Herrin" <bill () herrin us> wrote:

> On Mon, Mar 24, 2014 at 2:23 PM, Lee Howard <Lee () asgard org> wrote:
> > On 3/24/14 1:37 PM, "William Herrin" <bill () herrin us> wrote:
> > > That would be one of those "details" on which smart people disagree.
> > > In this case, I think you're wrong. Modern NAT superseded the
> > > transparent proxies and bastion hosts of the '90s because it does the
> > > same security job a little more smoothly. And proxies WERE designed to
> > > act as a security feature.
> >
> > What kinds of devices are we talking about here?  Are we talking about
> > the
> > default NAT on a home network router, or an enterprise-level NAT
> > operating
> > on a firewall?
>
> Hi Lee,
>
> I don't see NAT as a deployment issue for residential networks. Most
> folks just hook their computer up to whatever CPE the vendor sends
> them without any further attention.
>
>
> > If we're talking about an enterprise firewall, then I don't
> > understand--we're talking about a firewall.  If it implements a
> > symmetric
> > NAT in addition to a stateful firewall, then it's implementing the same
> > function twice.  But, hey, it's your network, if
> > security-through-obscurity is one of your defense in depth layers,
> > that's
> > fine.
>
> "Obscurity" offers one or more defense layers. If you disagree, post
> your passwords here.

One that is largely mocked by security professionals.  However, ULA can do
this.

> Unaddressibility is a second defense layer.

I offered ULA+NPT66.  I don't recommend it, but it has been described as
working, and provides addresses which are not globally reachable.

> Stateful firewalling is a third.

We agree.

Lee