Arguing against using public IP space
-Hammer-
bhmccie at gmail.com
Tue Nov 15 15:19:59 UTC 2011
I see your side Cameron.
-Hammer-
"I was a normal American nerd"
-Jack Herer
On 11/15/2011 09:20 AM, Cameron Byrne wrote:
>
>
> On Nov 15, 2011 7:09 AM, "-Hammer-" <bhmccie at gmail.com
> <mailto:bhmccie at gmail.com>> wrote:
> >
> > Guys,
> > Everyone is complaining about whether a FW serves its purpose or
> not. Take a step back. Security is about layers. Router ACLs to filter
> whitenoise. FW ACLs to filter more. L7 (application) FWs to inspect
> HTTP payload. Patch management at the OS and Application layer on the
> server. Heuristics analyzing strategically placed SPAN feeds. The list
> goes on depending upon the size of your enterprise.
> >
>
> I would say security is about stopping threats , not layering in
> technology and tools. Granted, layer is a good idea, throwing
> everything including the kitchen sink at a problem will result in just
> a larger problem.
>
> > I don't think in a large environment you can avoid "complexity"
> these days. What you have to succeed at is managing that complexity.
> And L3 FWs have a very important purpose. They filter garbage. You
> focus your IDS/IPS on what the FW is allowing. It's more than a screen
> door. But yes, it's LESS than a true vault door. It's all about
> mitigating the risk. You'll never be 100% full proof.
> >
>
> Large environments have to force simplicity to combat the natural ebb
> of complexity. The largest operators live by one rule , KISS.
>
> L3 network fw are an attack vector and single point of failure.
>
> But, I think this thread is not changing anyone's mind at this point.
>
> > -Hammer-
> >
> > "I was a normal American nerd"
> > -Jack Herer
> >
> >
> >
> >
> > On 11/15/2011 08:56 AM, William Herrin wrote:
> >>
> >> On Tue, Nov 15, 2011 at 9:17 AM,<Valdis.Kletnieks at vt.edu
> <mailto:Valdis.Kletnieks at vt.edu>> wrote:
> >>
> >>>
> >>> And this is totally overlooking the fact that the vast majority of
> *actual*
> >>> attacks these days are web-based drive-bys and similar things that
> most
> >>> firewalls are configured to pass through.
> >>>
> >>
> >> Valdis,
> >>
> >> A firewall's job is to prevent the success of ACTIVE attack vectors
> >> against your network. If your firewall successfully restricts
> >> attackers to passive attack vectors (drive-by downloads) and social
> >> engineering vectors then it has done everything reasonably expected of
> >> it. Those other parts of the overall network security picture are
> >> dealt with elsewhere in system security apparatus. So it's no mistake
> >> than in a discussion of firewalls those two attack vectors do not
> >> feature prominently.
> >>
> >> Regards,
> >> Bill Herrin
> >>
> >>
> >>
> >>
>
More information about the NANOG
mailing list