It's called going off on a related tangent - whenever I hear people talking about using something because someone has published a paper and here's all these smart people using it (transparent bridging, etc, or in my case natting externally accessible/routable hosts), it pisses me off.
People use it because they have a need to do something. When you're told there's a better way to do things, pay attention, instead of telling the experts here (and I'm talking about the openbsd developers in this thread - not me, I'm in management now, no brain cells left) they're wrong because you have all these great URLs - if you want to listen to those people, then you should be using the OS they use too. On 4/26/09, Felipe Alfaro Solana <felipe.alf...@gmail.com> wrote: > On Sun, Apr 26, 2009 at 9:21 PM, bofh <goodb...@gmail.com> wrote: > >> Anyone who puts in an inline IDS is a damned idiot. D stands for >> detection, so you should always use a tap or something else. Only IPS >> should be inline. > > > You should provide arguments, not empty words. At least, if you are calling > people idiot. > > >> You obviously do not know what you're talking about. Things like NAT >> have their uses to, but people who design networks including DMZs and >> networks that require external routing but put them behind NATs >> deserve everything they get. > > > I don't know what DMZ and NAT has to do with what we're discussing here. > Instead of calling people idiots you could provide a valid reasoning > supported by arguments. > > >> >> >> On 4/26/09, Felipe Alfaro Solana <felipe.alf...@gmail.com> wrote: >> > On Sat, Apr 25, 2009 at 3:57 PM, Henning Brauer >> > <lists-open...@bsws.de>wrote: >> > >> >> * openbsder <openbs...@gmail.com> [2009-04-24 12:19]: >> >> > Recently, it has been suggested that a transparent firewall >> >> implementation >> >> > is ideal where possible. But as far as I understand, transparency is >> >> > only >> >> > available when the firewall acts as a bridge between TWO networks. >> >> > How >> >> would >> >> > I keep my DMZ and LAN both while using a bridging firewall. Is it >> >> > even >> >> > possible? >> >> >> >> yes. lots of idiots do it. >> > >> > >> > Really? What's wrong with transparent bridging? What's wrong with a >> > transparent, in-line IDS? What's wrong with a software tap? All of >> > these >> > technologies use some sort of transparent bridging and are not being >> > used >> > exclusively by idiots, but also smart people [1] [2] >> > >> > [1] >> > >> http://eatingsecurity.blogspot.com/2007/09/transparent-bridging-mmap-pcap-and.html >> > [2] http://www.shiftedbit.net/IDS.txt >> > [3] http://www.securityfocus.com/infocus/1737 >> > >> > bridging is stupid. don't. there are cases where you can't avoid it, >> >> but deliberately? about as clever as knowingly drinking methanol. >> > >> > >> > Bridging, in the ample sense, is not stupid. Your switch is doing that. >> > Bridging, in the sense of firewalls, is also not stupid. There are >> reasons >> > why you want to use a transparent bridging-mode firewall. >> > >> > >> >> >> >> -- >> >> Henning Brauer, h...@bsws.de, henn...@openbsd.org >> >> BS Web Services, http://bsws.de >> >> Full-Service ISP - Secure Hosting, Mail and DNS Services >> >> Dedicated Servers, Rootservers, Application Hosting - Hamburg & >> Amsterdam >> >> >> >> >> > >> > >> > -- >> > http://www.felipe-alfaro.org/blog/disclaimer/ >> > >> > >> >> -- >> Sent from my mobile device >> >> http://www.glumbert.com/media/shift >> http://www.youtube.com/watch?v=tGvHNNOLnCk >> "This officer's men seem to follow him merely out of idle curiosity." >> -- Sandhurst officer cadet evaluation. >> "Securing an environment of Windows platforms from abuse - external or >> internal - is akin to trying to install sprinklers in a fireworks >> factory where smoking on the job is permitted." -- Gene Spafford >> learn french: http://www.youtube.com/watch?v=j1G-3laJJP0&feature=related >> >> > > > -- > http://www.felipe-alfaro.org/blog/disclaimer/ > -- Sent from my mobile device http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk "This officer's men seem to follow him merely out of idle curiosity." -- Sandhurst officer cadet evaluation. "Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted." -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0&feature=related
