Have they stopped teaching Defense in Depth?

• Previous message (by thread): Have they stopped teaching Defense in Depth?
• Next message (by thread): Have they stopped teaching Defense in Depth?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Nov 15, 2011, at 2:01 PM, William Herrin wrote:

> On Tue, Nov 15, 2011 at 4:50 PM, Mark Andrews <marka at isc.org> wrote:
>> If you want to use unroutable addresses then use a bastion host /
>> proxy.  Don't expect to be able to open a TCP socket and have it
>> connect to something on the outside.  Do it right or don't do it
>> at all.
> 
> Mark,
> 
> What is a modern NAT but a bastion host proxy for which application
> compatibility has been maximized?

It is a mechanism for header mutilation which creates additional costs
in hardware (cost of routers), software (development of NAT traversal
code in various applications, NAT software in some cases), security
(NAT obfuscates audit trails and increases the difficulty and cost of
event correlation, forensics, abuser identification, and attack source
identification and mitigation, etc.).

Owen

• Previous message (by thread): Have they stopped teaching Defense in Depth?
• Next message (by thread): Have they stopped teaching Defense in Depth?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]