[146503] in North American Network Operators' Group
Re: Ok;
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Nov 15 00:23:14 2011
To: William Herrin <bill@herrin.us>
In-Reply-To: Your message of "Mon, 14 Nov 2011 19:06:13 EST."
<CAP-guGX__gLuAcH=CniRf21OaApSmq7xKWRYzKwxJg9ChKZoig@mail.gmail.com>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 15 Nov 2011 00:21:25 -0500
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1321334484_32442P
Content-Type: text/plain; charset=us-ascii
On Mon, 14 Nov 2011 19:06:13 EST, William Herrin said:
> Using two firewalls in serial from two different vendors doubles the
> complexity. Yet it almost always improves security: fat fingers on one
> firewall rarely repeat the same way on the second and a rogue packet
> must pass both.
Fat fingers are actually not the biggest issue - a far bigger problem are brain
failures. If you thought opening port 197 was a good idea, you will have done
it on both firewalls. And it doesn't even help to run automated config
checkers - because you'll have marked port 197 as "good" in there as well. ;)
And it doesn't even help with fat-finger issues anyhow, because you *know* that
if your firewall admin is any good, they'll just write a script that loads both
firewalls from a master config file - and then proceed to fat-finger said
config file.
--==_Exmh_1321334484_32442P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFOwfbUcC3lWbTT17ARAtUEAJ4hCpyWrUzXt3y/TKoM614PyrfV6gCgzJ9A
oq4nDA9cc+SQCx2HtxQtBk8=
=tFC+
-----END PGP SIGNATURE-----
--==_Exmh_1321334484_32442P--
