[146487] in North American Network Operators' Group
Re: Ok; let's have the "Does DNAT contribute to Security" argument
daemon@ATHENA.MIT.EDU (Jay Ashworth)
Mon Nov 14 16:53:28 2011
Date: Mon, 14 Nov 2011 16:53:16 -0500 (EST)
From: Jay Ashworth <jra@baylink.com>
To: NANOG <nanog@nanog.org>
In-Reply-To: <141376.1321305032@turing-police.cc.vt.edu>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
----- Original Message -----
> From: "Valdis Kletnieks" <Valdis.Kletnieks@vt.edu>
> > On the other hand, since a firewall's job is to stop packets you
> > don't want,
>
> One of Marcus Ranum's "5 Stupidest Security Blunders" - "enumerating
> badness".
> A firewall's job isn't to stop unwanted packets, it's to pass only
> wanted packets.
From 30,000ft those are equivalent.
When you get down below 5000ft, it starts to matter which approach you
take to it.
There are lots and lots of people, though, whose exposure to firewalls is
"a set of rules you drop over a router" -- in consequence of which there are
a lot of *firewalls* that are designed that way.
You're correct in implying that that's strategically bad, but both components
of that paragraph impact the issue.
> > if it stops doing it's just as a firewall, it's likely to keep on
> > doing it's other job: passing packets.
>
> As a result, a firewall that fails open rather than closed is
> mis-designed.
>
> And if you're deploying a firewall and don't know if the failure mode
> is open or closed, you probably get what you deserve when it fails.
Can't argue with that at all.
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra@baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
