[146484] in North American Network Operators' Group
Re: Ok;
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Mon Nov 14 16:11:16 2011
To: Jay Ashworth <jra@baylink.com>
In-Reply-To: Your message of "Mon, 14 Nov 2011 15:55:14 EST."
<3696694.2771.1321304114757.JavaMail.root@benjamin.baylink.com>
From: Valdis.Kletnieks@vt.edu
Date: Mon, 14 Nov 2011 16:10:32 -0500
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1321305032_32442P
Content-Type: text/plain; charset=us-ascii
On Mon, 14 Nov 2011 15:55:14 EST, Jay Ashworth said:
> On the other hand, since a firewall's job is to stop packets you don't want,
One of Marcus Ranum's "5 Stupidest Security Blunders" - "enumerating badness".
A firewall's job isn't to stop unwanted packets, it's to pass only wanted packets.
> if it stops doing it's just as a firewall, it's likely to keep on doing it's
> other job: passing packets.
As a result, a firewall that fails open rather than closed is mis-designed.
And if you're deploying a firewall and don't know if the failure mode is open or
closed, you probably get what you deserve when it fails.
--==_Exmh_1321305032_32442P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFOwYPIcC3lWbTT17ARAuldAKCqxhBIjfSMefXMEvo70DmtFNclpQCgzEC5
wrL9nPzZ3p5wX08BF3YBaSg=
=wZvk
-----END PGP SIGNATURE-----
--==_Exmh_1321305032_32442P--
