Arguing against using public IP space
Joe Greco
jgreco at ns.sol.net
Tue Nov 15 17:54:45 UTC 2011
> On Nov 15, 2011, at 7:54 AM, Joe Greco wrote:
> >> If you put a router where you needed a firewall, then, this is not a =
> >> failure of the firewall, but, a
> >> failure of the network implementor and the address space will not have =
> >> any impact whatsoever
> >> on your lack of security.
> >
> > And the difference between a router and a firewall is ...?
> >
> > Apparently, one bit.
>
> IMHO, a firewall does not route packets by default, but, rather only forwards
> those packets which match configured policies.
>
> A router, OTOH, routes packets by default, but, may be configured with some
> policy about which packets to forward.
>
> The difference functionally is what happens when the configuration is
> lost or corrupted. Essentially fail open vs. fail closed.
1 vs 0. As I said... one bit.
Understanding this fundamental truth is helpful in understanding why
people use "routers" as "firewalls" and "firewalls" as "routers".
Because they're basically the same thing, with a one bit difference.
And some products, say like FreeBSD (which forms the heart of things
like pfSense, so let's not even begin to argue that it "isn't a
firewall") can actually be configured to default either way.
So basically, while we would all prefer that firewalls default to deny,
it probably isn't as important a distinction as this thread is making
it out to be, because even a "default to deny" firewall fails when a
naive admin makes a typo and allows all traffic from 0/0 inadvertently.
It's just a matter of statistical likelihood.
Or perhaps a better argument would be that routers really ought to
default to deny. :-) I'd be fine with that, but I can hear the
screaming already.
... JG
--
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
More information about the NANOG
mailing list