Ok; let's have the "Does DNAT contribute to Security" argument one more time...

• Previous message (by thread): Ok; let's have the "Does DNAT contribute to Security" argument one more time...
• Next message (by thread): Ok; let's have the "Does DNAT contribute to Security" argument one more time...
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 14 Nov 2011 19:06:13 EST, William Herrin said:

> Using two firewalls in serial from two different vendors doubles the
> complexity. Yet it almost always improves security: fat fingers on one
> firewall rarely repeat the same way on the second and a rogue packet
> must pass both.

Fat fingers are actually not the biggest issue - a far bigger problem are brain
failures.  If you thought opening port 197 was a good idea, you will have done
it on both firewalls.  And it doesn't even help to run automated config
checkers - because you'll have marked port 197 as "good" in there as well. ;)

And it doesn't even help with fat-finger issues anyhow, because you *know* that
if your firewall admin is any good, they'll just write a script that loads both
firewalls from a master config file - and then proceed to fat-finger said
config file.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20111115/9f2f1a57/attachment.sig>

• Previous message (by thread): Ok; let's have the "Does DNAT contribute to Security" argument one more time...
• Next message (by thread): Ok; let's have the "Does DNAT contribute to Security" argument one more time...
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]