[146580] in North American Network Operators' Group
RE: Have they stopped teaching Defense in Depth?
daemon@ATHENA.MIT.EDU (Jamie Bowden)
Wed Nov 16 11:22:07 2011
Date: Wed, 16 Nov 2011 11:20:28 -0500
In-Reply-To: <7920B919-FC2E-48A4-87DE-D32D49E40318@delong.com>
From: "Jamie Bowden" <jamie@photon.com>
To: "Owen DeLong" <owen@delong.com>, "William Herrin" <bill@herrin.us>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> -----Original Message-----
> From: Owen DeLong [mailto:owen@delong.com]
> Sent: Wednesday, November 16, 2011 11:11 AM
> To: William Herrin
> Cc: NANOG
> Subject: Re: Have they stopped teaching Defense in Depth?
>=20
>=20
> On Nov 15, 2011, at 2:01 PM, William Herrin wrote:
>=20
> > On Tue, Nov 15, 2011 at 4:50 PM, Mark Andrews <marka@isc.org> wrote:
> >> If you want to use unroutable addresses then use a bastion host /
> >> proxy. Don't expect to be able to open a TCP socket and have it
> >> connect to something on the outside. Do it right or don't do it
> >> at all.
> >
> > Mark,
> >
> > What is a modern NAT but a bastion host proxy for which application
> > compatibility has been maximized?
>=20
> It is a mechanism for header mutilation which creates additional costs
> in hardware (cost of routers), software (development of NAT traversal
> code in various applications, NAT software in some cases), security
> (NAT obfuscates audit trails and increases the difficulty and cost of
> event correlation, forensics, abuser identification, and attack source
> identification and mitigation, etc.).
How is that any different than a proxy server, really? From the inside,
your apps are either NAT aware or proxy aware, but either way, you're
not directly exposed to the world and all your traffic comes from one
place as far as the world is concerned. I live behind both (NAT at
home; all external traffic of any type (assuming it's even allowed) is
proxied at work), and both suck in different and exciting ways.
Jamie
