[146515] in North American Network Operators' Group
Re: Arguing against using public IP space
daemon@ATHENA.MIT.EDU (William Herrin)
Tue Nov 15 09:57:16 2011
In-Reply-To: <175192.1321366640@turing-police.cc.vt.edu>
From: William Herrin <bill@herrin.us>
Date: Tue, 15 Nov 2011 09:56:38 -0500
To: Valdis.Kletnieks@vt.edu
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Nov 15, 2011 at 9:17 AM, <Valdis.Kletnieks@vt.edu> wrote:
> And this is totally overlooking the fact that the vast majority of *actua=
l*
> attacks these days are web-based drive-bys and similar things that most
> firewalls are configured to pass through.
Valdis,
A firewall's job is to prevent the success of ACTIVE attack vectors
against your network. If your firewall successfully restricts
attackers to passive attack vectors (drive-by downloads) and social
engineering vectors then it has done everything reasonably expected of
it. Those other parts of the overall network security picture are
dealt with elsewhere in system security apparatus. So it's no mistake
than in a discussion of firewalls those two attack vectors do not
feature prominently.
Regards,
Bill Herrin
--=20
William D. Herrin ................ herrin@dirtside.com=A0 bill@herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
