On Mon, Feb 03, 2020 at 11:13:54AM +0000, ratatatah wrote: > Hello Peter! > > Not sure I understand the whole hierarchy and flatness analogy, I'm very new > to all of this, but what do I tell those who claim that this leaking of the > IP poses a security risk and that they therefore should go with FreeBSD jails > instead? > > Thanks.
Hi! You know there is a few things wrong about this in what I interpret from your wants. An IP should not be kept secret, in my opinion. It should be made harmless by firewall policies. So even if knowledge escapes that there is an internal IP perhaps to a bastion host to an internal network that is super sensitive to hackers who break into a webserver there should be some defense against that. It seems to me that priorities are all mixed up. It seems to me that the IP that is so sensitive that even its knowledge must be hidden, must be protected. Perhaps you need to rethink the network. You don't get more security by just putting bastion hosts in the heart of fort knox and not protect it somehow. If you want OpenBSD and your counterparts want FreeBSD because they can cover up knowledge of a sensitive IP address, then compromise on this. Get FreeBSD and put an OpenBSD firewall in front of the sensitive network. You can even NAT the IP so that the super sensitive IP knowledge is out of the picture. Then again it's useless throwing equipment such as firewalls on a sore spot without considering the entire network. How was it designed, why was this spot left so sensitive, how can it be repaired? Can it be patched or does an entire new redesign have to evolve. These are costs issues which I'm admittedly not good at, also I'm not an architect (yet), I never built my own network outside of home. But I see there is need for some queries to the architect here. If it is a matter of battling over one host whether it's KindA OS or KindB OS but it leaves a gaping hole despite either, then it's really not worth it and the seriousness of this sensitive IP should be questioned. Excuse my ongoing rant, With regards, -peter