Ok; let's have the "Does DNAT contribute to Security" argument one more time...
Jay Ashworth
jra at baylink.com
Mon Nov 14 21:53:16 UTC 2011
----- Original Message -----
> From: "Valdis Kletnieks" <Valdis.Kletnieks at vt.edu>
> > On the other hand, since a firewall's job is to stop packets you
> > don't want,
>
> One of Marcus Ranum's "5 Stupidest Security Blunders" - "enumerating
> badness".
> A firewall's job isn't to stop unwanted packets, it's to pass only
> wanted packets.
>From 30,000ft those are equivalent.
When you get down below 5000ft, it starts to matter which approach you
take to it.
There are lots and lots of people, though, whose exposure to firewalls is
"a set of rules you drop over a router" -- in consequence of which there are
a lot of *firewalls* that are designed that way.
You're correct in implying that that's strategically bad, but both components
of that paragraph impact the issue.
> > if it stops doing it's just as a firewall, it's likely to keep on
> > doing it's other job: passing packets.
>
> As a result, a firewall that fails open rather than closed is
> mis-designed.
>
> And if you're deploying a firewall and don't know if the failure mode
> is open or closed, you probably get what you deserve when it fails.
Can't argue with that at all.
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra at baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
More information about the NANOG
mailing list