misunderstanding scale
William Herrin
bill at herrin.us
Mon Mar 24 17:37:06 UTC 2014
On Mon, Mar 24, 2014 at 9:25 AM, Joe Greco <jgreco at ns.sol.net> wrote:
>> I say this with the utmost respect, but you must understand the
>> principle of defense in depth in order to make competent security
>> decisions for your organization. Smart people disagree on the details
>> but the principle is not only iron clad, it applies to all forms of
>> security, not just IP network security.
>
> The problem here is that what's actually going on is that you're now
> enshrining as a "security" device a hacky, ill-conceived workaround
> for a lack of flexibility/space/etc in IPv4. NAT was not designed
> to act as a security feature.
Hi Joe,
That would be one of those "details" on which smart people disagree.
In this case, I think you're wrong. Modern NAT superseded the
transparent proxies and bastion hosts of the '90s because it does the
same security job a little more smoothly. And proxies WERE designed to
act as a security feature.
>> You'd expect folks to give up two layers of security at exactly the
>> same time as they're absorbing a new network protocol with which
>> they're yet unskilled? Does that make sense to you from a
>> risk-management standpoint?
>
> Actually, yes, it does. Using the product as intended is substantially
> less risky than trying to figure out how to use some sort of proxy or
> gateway functionality to emulate NAT, and then screwing that up.
What sort of traction are you getting from that argument when you
speak with enterprise security folks?
Regards,
Bill Herrin
--
William D. Herrin ................ herrin at dirtside.com bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
More information about the NANOG
mailing list