[146582] in North American Network Operators' Group
Re: Have they stopped teaching Defense in Depth?
daemon@ATHENA.MIT.EDU (William Herrin)
Wed Nov 16 11:45:20 2011
In-Reply-To: <7920B919-FC2E-48A4-87DE-D32D49E40318@delong.com>
From: William Herrin <bill@herrin.us>
Date: Wed, 16 Nov 2011 11:43:54 -0500
To: Owen DeLong <owen@delong.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Nov 16, 2011 at 11:11 AM, Owen DeLong <owen@delong.com> wrote:
> On Nov 15, 2011, at 2:01 PM, William Herrin wrote:
>> On Tue, Nov 15, 2011 at 4:50 PM, Mark Andrews <marka@isc.org> wrote:
>>> If you want to use unroutable addresses then use a bastion host /
>>> proxy.
>>
>> What is a modern NAT but a bastion host proxy for which application
>> compatibility has been maximized?
>
> It is a mechanism for header mutilation which creates additional costs
> in hardware (cost of routers), software (development of NAT traversal
> code in various applications, NAT software in some cases), security
> (NAT obfuscates audit trails and increases the difficulty and cost of
> event correlation, forensics, abuser identification, and attack source
> identification and mitigation, etc.).
In other words, all of the things a proxy does but without sacrificing
as many applications.
-Bill
--=20
William D. Herrin ................ herrin@dirtside.com=A0 bill@herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
