Have they stopped teaching Defense in Depth?

Owen DeLong owen at delong.com
Wed Nov 16 14:32:22 CST 2011


On Nov 16, 2011, at 8:20 AM, Jamie Bowden wrote:

> 
> 
>> -----Original Message-----
>> From: Owen DeLong [mailto:owen at delong.com]
>> Sent: Wednesday, November 16, 2011 11:11 AM
>> To: William Herrin
>> Cc: NANOG
>> Subject: Re: Have they stopped teaching Defense in Depth?
>> 
>> 
>> On Nov 15, 2011, at 2:01 PM, William Herrin wrote:
>> 
>>> On Tue, Nov 15, 2011 at 4:50 PM, Mark Andrews <marka at isc.org> wrote:
>>>> If you want to use unroutable addresses then use a bastion host /
>>>> proxy.  Don't expect to be able to open a TCP socket and have it
>>>> connect to something on the outside.  Do it right or don't do it
>>>> at all.
>>> 
>>> Mark,
>>> 
>>> What is a modern NAT but a bastion host proxy for which application
>>> compatibility has been maximized?
>> 
>> It is a mechanism for header mutilation which creates additional costs
>> in hardware (cost of routers), software (development of NAT traversal
>> code in various applications, NAT software in some cases), security
>> (NAT obfuscates audit trails and increases the difficulty and cost of
>> event correlation, forensics, abuser identification, and attack source
>> identification and mitigation, etc.).
> 
> How is that any different than a proxy server, really?  From the inside,
> your apps are either NAT aware or proxy aware, but either way, you're
> not directly exposed to the world and all your traffic comes from one
> place as far as the world is concerned.  I live behind both (NAT at
> home; all external traffic of any type (assuming it's even allowed) is
> proxied at work), and both suck in different and exciting ways.
> 
> Jamie

You answered your own question... They suck in different ways.

Owen




More information about the NANOG mailing list