[146537] in North American Network Operators' Group
Re: Arguing against using public IP space
daemon@ATHENA.MIT.EDU (Joe Greco)
Tue Nov 15 12:56:09 2011
From: Joe Greco <jgreco@ns.sol.net>
To: owen@delong.com (Owen DeLong)
Date: Tue, 15 Nov 2011 11:54:45 -0600 (CST)
In-Reply-To: <5CBF6B7A-D16E-487B-B70D-1F36B1CDBECB@delong.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>,
McCall Gabriel <Gabriel.McCall@thyssenkrupp.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> On Nov 15, 2011, at 7:54 AM, Joe Greco wrote:
> >> If you put a router where you needed a firewall, then, this is not a =
> >> failure of the firewall, but, a
> >> failure of the network implementor and the address space will not have =
> >> any impact whatsoever
> >> on your lack of security.
> >
> > And the difference between a router and a firewall is ...?
> >
> > Apparently, one bit.
>
> IMHO, a firewall does not route packets by default, but, rather only forwards
> those packets which match configured policies.
>
> A router, OTOH, routes packets by default, but, may be configured with some
> policy about which packets to forward.
>
> The difference functionally is what happens when the configuration is
> lost or corrupted. Essentially fail open vs. fail closed.
1 vs 0. As I said... one bit.
Understanding this fundamental truth is helpful in understanding why
people use "routers" as "firewalls" and "firewalls" as "routers".
Because they're basically the same thing, with a one bit difference.
And some products, say like FreeBSD (which forms the heart of things
like pfSense, so let's not even begin to argue that it "isn't a
firewall") can actually be configured to default either way.
So basically, while we would all prefer that firewalls default to deny,
it probably isn't as important a distinction as this thread is making
it out to be, because even a "default to deny" firewall fails when a
naive admin makes a typo and allows all traffic from 0/0 inadvertently.
It's just a matter of statistical likelihood.
Or perhaps a better argument would be that routers really ought to
default to deny. :-) I'd be fine with that, but I can hear the
screaming already.
... JG
--
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
