On Mon, Feb 03, 2020 at 11:13:54AM +0000, ratatatah wrote:
> Hello Peter!
> 
> Not sure I understand the whole hierarchy and flatness analogy, I'm very new 
> to all of this, but what do I tell those who claim that this leaking of the 
> IP poses a security risk and that they therefore should go with FreeBSD jails 
> instead?
> 
> Thanks.

Hi!

You know there is a few things wrong about this in what I interpret from your
wants.  An IP should not be kept secret, in my opinion.  It should be made 
harmless by firewall policies.

So even if knowledge escapes that there is an internal IP perhaps to a bastion
host to an internal network that is super sensitive to hackers who break into
a webserver there should be some defense against that.

It seems to me that priorities are all mixed up.  It seems to me that the IP
that is so sensitive that even its knowledge must be hidden, must be protected.
Perhaps you need to rethink the network.  You don't get more security by just
putting bastion hosts in the heart of fort knox and not protect it somehow.

If you want OpenBSD and your counterparts want FreeBSD because they can cover
up knowledge of a sensitive IP address, then compromise on this.  Get FreeBSD 
and put an OpenBSD firewall in front of the sensitive network.  You can
even NAT the IP so that the super sensitive IP knowledge is out of the picture.

Then again it's useless throwing equipment such as firewalls on a sore spot
without considering the entire network.  How was it designed, why was this
spot left so sensitive, how can it be repaired?  Can it be patched or does an
entire new redesign have to evolve.  These are costs issues which I'm 
admittedly not good at, also I'm not an architect (yet), I never built my own
network outside of home.  But I see there is need for some queries to the
architect here.

If it is a matter of battling over one host whether it's KindA OS or KindB OS
but it leaves a gaping hole despite either, then it's really not worth it and
the seriousness of this sensitive IP should be questioned.

Excuse my ongoing rant,
With regards,
-peter

Reply via email to