On Sun, Apr 26, 2009 at 9:21 PM, bofh <goodb...@gmail.com> wrote: > Anyone who puts in an inline IDS is a damned idiot. D stands for > detection, so you should always use a tap or something else. Only IPS > should be inline.
You should provide arguments, not empty words. At least, if you are calling people idiot. > You obviously do not know what you're talking about. Things like NAT > have their uses to, but people who design networks including DMZs and > networks that require external routing but put them behind NATs > deserve everything they get. I don't know what DMZ and NAT has to do with what we're discussing here. Instead of calling people idiots you could provide a valid reasoning supported by arguments. > > > On 4/26/09, Felipe Alfaro Solana <felipe.alf...@gmail.com> wrote: > > On Sat, Apr 25, 2009 at 3:57 PM, Henning Brauer > > <lists-open...@bsws.de>wrote: > > > >> * openbsder <openbs...@gmail.com> [2009-04-24 12:19]: > >> > Recently, it has been suggested that a transparent firewall > >> implementation > >> > is ideal where possible. But as far as I understand, transparency is > >> > only > >> > available when the firewall acts as a bridge between TWO networks. How > >> would > >> > I keep my DMZ and LAN both while using a bridging firewall. Is it even > >> > possible? > >> > >> yes. lots of idiots do it. > > > > > > Really? What's wrong with transparent bridging? What's wrong with a > > transparent, in-line IDS? What's wrong with a software tap? All of these > > technologies use some sort of transparent bridging and are not being used > > exclusively by idiots, but also smart people [1] [2] > > > > [1] > > > http://eatingsecurity.blogspot.com/2007/09/transparent-bridging-mmap-pcap-and.html > > [2] http://www.shiftedbit.net/IDS.txt > > [3] http://www.securityfocus.com/infocus/1737 > > > > bridging is stupid. don't. there are cases where you can't avoid it, > >> but deliberately? about as clever as knowingly drinking methanol. > > > > > > Bridging, in the ample sense, is not stupid. Your switch is doing that. > > Bridging, in the sense of firewalls, is also not stupid. There are > reasons > > why you want to use a transparent bridging-mode firewall. > > > > > >> > >> -- > >> Henning Brauer, h...@bsws.de, henn...@openbsd.org > >> BS Web Services, http://bsws.de > >> Full-Service ISP - Secure Hosting, Mail and DNS Services > >> Dedicated Servers, Rootservers, Application Hosting - Hamburg & > Amsterdam > >> > >> > > > > > > -- > > http://www.felipe-alfaro.org/blog/disclaimer/ > > > > > > -- > Sent from my mobile device > > http://www.glumbert.com/media/shift > http://www.youtube.com/watch?v=tGvHNNOLnCk > "This officer's men seem to follow him merely out of idle curiosity." > -- Sandhurst officer cadet evaluation. > "Securing an environment of Windows platforms from abuse - external or > internal - is akin to trying to install sprinklers in a fireworks > factory where smoking on the job is permitted." -- Gene Spafford > learn french: http://www.youtube.com/watch?v=j1G-3laJJP0&feature=related > > -- http://www.felipe-alfaro.org/blog/disclaimer/
