Have they stopped teaching Defense in Depth?
Owen DeLong
owen at delong.com
Wed Nov 16 20:32:22 UTC 2011
On Nov 16, 2011, at 8:20 AM, Jamie Bowden wrote:
>
>
>> -----Original Message-----
>> From: Owen DeLong [mailto:owen at delong.com]
>> Sent: Wednesday, November 16, 2011 11:11 AM
>> To: William Herrin
>> Cc: NANOG
>> Subject: Re: Have they stopped teaching Defense in Depth?
>>
>>
>> On Nov 15, 2011, at 2:01 PM, William Herrin wrote:
>>
>>> On Tue, Nov 15, 2011 at 4:50 PM, Mark Andrews <marka at isc.org> wrote:
>>>> If you want to use unroutable addresses then use a bastion host /
>>>> proxy. Don't expect to be able to open a TCP socket and have it
>>>> connect to something on the outside. Do it right or don't do it
>>>> at all.
>>>
>>> Mark,
>>>
>>> What is a modern NAT but a bastion host proxy for which application
>>> compatibility has been maximized?
>>
>> It is a mechanism for header mutilation which creates additional costs
>> in hardware (cost of routers), software (development of NAT traversal
>> code in various applications, NAT software in some cases), security
>> (NAT obfuscates audit trails and increases the difficulty and cost of
>> event correlation, forensics, abuser identification, and attack source
>> identification and mitigation, etc.).
>
> How is that any different than a proxy server, really? From the inside,
> your apps are either NAT aware or proxy aware, but either way, you're
> not directly exposed to the world and all your traffic comes from one
> place as far as the world is concerned. I live behind both (NAT at
> home; all external traffic of any type (assuming it's even allowed) is
> proxied at work), and both suck in different and exciting ways.
>
> Jamie
You answered your own question... They suck in different ways.
Owen
More information about the NANOG
mailing list