Anyone who puts in an inline IDS is a damned idiot. D stands for detection, so you should always use a tap or something else. Only IPS should be inline.
You obviously do not know what you're talking about. Things like NAT have their uses to, but people who design networks including DMZs and networks that require external routing but put them behind NATs deserve everything they get. On 4/26/09, Felipe Alfaro Solana <felipe.alf...@gmail.com> wrote: > On Sat, Apr 25, 2009 at 3:57 PM, Henning Brauer > <lists-open...@bsws.de>wrote: > >> * openbsder <openbs...@gmail.com> [2009-04-24 12:19]: >> > Recently, it has been suggested that a transparent firewall >> implementation >> > is ideal where possible. But as far as I understand, transparency is >> > only >> > available when the firewall acts as a bridge between TWO networks. How >> would >> > I keep my DMZ and LAN both while using a bridging firewall. Is it even >> > possible? >> >> yes. lots of idiots do it. > > > Really? What's wrong with transparent bridging? What's wrong with a > transparent, in-line IDS? What's wrong with a software tap? All of these > technologies use some sort of transparent bridging and are not being used > exclusively by idiots, but also smart people [1] [2] > > [1] > http://eatingsecurity.blogspot.com/2007/09/transparent-bridging-mmap-pcap-and.html > [2] http://www.shiftedbit.net/IDS.txt > [3] http://www.securityfocus.com/infocus/1737 > > bridging is stupid. don't. there are cases where you can't avoid it, >> but deliberately? about as clever as knowingly drinking methanol. > > > Bridging, in the ample sense, is not stupid. Your switch is doing that. > Bridging, in the sense of firewalls, is also not stupid. There are reasons > why you want to use a transparent bridging-mode firewall. > > >> >> -- >> Henning Brauer, h...@bsws.de, henn...@openbsd.org >> BS Web Services, http://bsws.de >> Full-Service ISP - Secure Hosting, Mail and DNS Services >> Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam >> >> > > > -- > http://www.felipe-alfaro.org/blog/disclaimer/ > > -- Sent from my mobile device http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk "This officer's men seem to follow him merely out of idle curiosity." -- Sandhurst officer cadet evaluation. "Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted." -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0&feature=related
