Arguing against using public IP space

-Hammer- bhmccie at gmail.com
Tue Nov 15 15:19:59 UTC 2011


I see your side Cameron.

-Hammer-

"I was a normal American nerd"
-Jack Herer



On 11/15/2011 09:20 AM, Cameron Byrne wrote:
>
>
> On Nov 15, 2011 7:09 AM, "-Hammer-" <bhmccie at gmail.com 
> <mailto:bhmccie at gmail.com>> wrote:
> >
> > Guys,
> >    Everyone is complaining about whether a FW serves its purpose or 
> not. Take a step back. Security is about layers. Router ACLs to filter 
> whitenoise. FW ACLs to filter more. L7 (application) FWs to inspect 
> HTTP payload. Patch management at the OS and Application layer on the 
> server. Heuristics analyzing strategically placed SPAN feeds. The list 
> goes on depending upon the size of your enterprise.
> >
>
> I would say security is about stopping threats , not layering in 
> technology and tools. Granted, layer is a good idea, throwing 
> everything including the kitchen sink at a problem will result in just 
> a larger problem.
>
> > I don't think in a large environment you can avoid "complexity" 
> these days. What you have to succeed at is managing that complexity. 
> And L3 FWs have a very important purpose. They filter garbage. You 
> focus your IDS/IPS on what the FW is allowing. It's more than a screen 
> door. But yes, it's LESS than a true vault door. It's all about 
> mitigating the risk. You'll never be 100% full proof.
> >
>
> Large environments have to force simplicity to combat the natural ebb 
> of complexity.  The largest operators live by one rule , KISS.
>
> L3 network fw are an attack vector and single point of failure.
>
> But, I think this thread is not changing anyone's mind at this point.
>
> > -Hammer-
> >
> > "I was a normal American nerd"
> > -Jack Herer
> >
> >
> >
> >
> > On 11/15/2011 08:56 AM, William Herrin wrote:
> >>
> >> On Tue, Nov 15, 2011 at 9:17 AM,<Valdis.Kletnieks at vt.edu 
> <mailto:Valdis.Kletnieks at vt.edu>>  wrote:
> >>
> >>>
> >>> And this is totally overlooking the fact that the vast majority of 
> *actual*
> >>> attacks these days are web-based drive-bys and similar things that 
> most
> >>> firewalls are configured to pass through.
> >>>
> >>
> >> Valdis,
> >>
> >> A firewall's job is to prevent the success of ACTIVE attack vectors
> >> against your network. If your firewall successfully restricts
> >> attackers to passive attack vectors (drive-by downloads) and social
> >> engineering vectors then it has done everything reasonably expected of
> >> it. Those other parts of the overall network security picture are
> >> dealt with elsewhere in system security apparatus. So it's no mistake
> >> than in a discussion of firewalls those two attack vectors do not
> >> feature prominently.
> >>
> >> Regards,
> >> Bill Herrin
> >>
> >>
> >>
> >>
>



More information about the NANOG mailing list