[170134] in North American Network Operators' Group
Re: misunderstanding scale
daemon@ATHENA.MIT.EDU (William Herrin)
Mon Mar 24 13:58:32 2014
In-Reply-To: <201403241325.s2ODPg35059533@aurora.sol.net>
From: William Herrin <bill@herrin.us>
Date: Mon, 24 Mar 2014 13:37:06 -0400
To: Joe Greco <jgreco@ns.sol.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, Mar 24, 2014 at 9:25 AM, Joe Greco <jgreco@ns.sol.net> wrote:
>> I say this with the utmost respect, but you must understand the
>> principle of defense in depth in order to make competent security
>> decisions for your organization. Smart people disagree on the details
>> but the principle is not only iron clad, it applies to all forms of
>> security, not just IP network security.
>
> The problem here is that what's actually going on is that you're now
> enshrining as a "security" device a hacky, ill-conceived workaround
> for a lack of flexibility/space/etc in IPv4. NAT was not designed
> to act as a security feature.
Hi Joe,
That would be one of those "details" on which smart people disagree.
In this case, I think you're wrong. Modern NAT superseded the
transparent proxies and bastion hosts of the '90s because it does the
same security job a little more smoothly. And proxies WERE designed to
act as a security feature.
>> You'd expect folks to give up two layers of security at exactly the
>> same time as they're absorbing a new network protocol with which
>> they're yet unskilled? Does that make sense to you from a
>> risk-management standpoint?
>
> Actually, yes, it does. Using the product as intended is substantially
> less risky than trying to figure out how to use some sort of proxy or
> gateway functionality to emulate NAT, and then screwing that up.
What sort of traction are you getting from that argument when you
speak with enterprise security folks?
Regards,
Bill Herrin
--
William D. Herrin ................ herrin@dirtside.com bill@herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
