On Mon, Apr 27, 2009 at 1:10 AM, bofh <goodb...@gmail.com> wrote: > It's called going off on a related tangent - whenever I hear people > talking about using something because someone has published a paper > and here's all these smart people using it (transparent bridging, etc, > or in my case natting externally accessible/routable hosts), it pisses > me off. > > People use it because they have a need to do something. When you're > told there's a better way to do things, pay attention, instead of > telling the experts here (and I'm talking about the openbsd developers > in this thread - not me, I'm in management now, no brain cells left) > they're wrong because you have all these great URLs - if you want to > listen to those people, then you should be using the OS they use too.
Still no arguments on why idiots use transparent firewalls. Good to know. > On 4/26/09, Felipe Alfaro Solana <felipe.alf...@gmail.com> wrote: > > On Sun, Apr 26, 2009 at 9:21 PM, bofh <goodb...@gmail.com> wrote: > > > >> Anyone who puts in an inline IDS is a damned idiot. D stands for > >> detection, so you should always use a tap or something else. Only IPS > >> should be inline. > > > > > > You should provide arguments, not empty words. At least, if you are > calling > > people idiot. > > > > > >> You obviously do not know what you're talking about. Things like NAT > >> have their uses to, but people who design networks including DMZs and > >> networks that require external routing but put them behind NATs > >> deserve everything they get. > > > > > > I don't know what DMZ and NAT has to do with what we're discussing here. > > Instead of calling people idiots you could provide a valid reasoning > > supported by arguments. > > > > > >> > >> > >> On 4/26/09, Felipe Alfaro Solana <felipe.alf...@gmail.com> wrote: > >> > On Sat, Apr 25, 2009 at 3:57 PM, Henning Brauer > >> > <lists-open...@bsws.de>wrote: > >> > > >> >> * openbsder <openbs...@gmail.com> [2009-04-24 12:19]: > >> >> > Recently, it has been suggested that a transparent firewall > >> >> implementation > >> >> > is ideal where possible. But as far as I understand, transparency > is > >> >> > only > >> >> > available when the firewall acts as a bridge between TWO networks. > >> >> > How > >> >> would > >> >> > I keep my DMZ and LAN both while using a bridging firewall. Is it > >> >> > even > >> >> > possible? > >> >> > >> >> yes. lots of idiots do it. > >> > > >> > > >> > Really? What's wrong with transparent bridging? What's wrong with a > >> > transparent, in-line IDS? What's wrong with a software tap? All of > >> > these > >> > technologies use some sort of transparent bridging and are not being > >> > used > >> > exclusively by idiots, but also smart people [1] [2] > >> > > >> > [1] > >> > > >> > http://eatingsecurity.blogspot.com/2007/09/transparent-bridging-mmap-pcap-and.html > >> > [2] http://www.shiftedbit.net/IDS.txt > >> > [3] http://www.securityfocus.com/infocus/1737 > >> > > >> > bridging is stupid. don't. there are cases where you can't avoid it, > >> >> but deliberately? about as clever as knowingly drinking methanol. > >> > > >> > > >> > Bridging, in the ample sense, is not stupid. Your switch is doing > that. > >> > Bridging, in the sense of firewalls, is also not stupid. There are > >> reasons > >> > why you want to use a transparent bridging-mode firewall. > >> > > >> > > >> >> > >> >> -- > >> >> Henning Brauer, h...@bsws.de, henn...@openbsd.org > >> >> BS Web Services, http://bsws.de > >> >> Full-Service ISP - Secure Hosting, Mail and DNS Services > >> >> Dedicated Servers, Rootservers, Application Hosting - Hamburg & > >> Amsterdam > >> >> > >> >> > >> > > >> > > >> > -- > >> > http://www.felipe-alfaro.org/blog/disclaimer/ > >> > > >> > > >> > >> -- > >> Sent from my mobile device > >> > >> http://www.glumbert.com/media/shift > >> http://www.youtube.com/watch?v=tGvHNNOLnCk > >> "This officer's men seem to follow him merely out of idle curiosity." > >> -- Sandhurst officer cadet evaluation. > >> "Securing an environment of Windows platforms from abuse - external or > >> internal - is akin to trying to install sprinklers in a fireworks > >> factory where smoking on the job is permitted." -- Gene Spafford > >> learn french: > http://www.youtube.com/watch?v=j1G-3laJJP0&feature=related > >> > >> > > > > > > -- > > http://www.felipe-alfaro.org/blog/disclaimer/ > > > > -- > Sent from my mobile device > > http://www.glumbert.com/media/shift > http://www.youtube.com/watch?v=tGvHNNOLnCk > "This officer's men seem to follow him merely out of idle curiosity." > -- Sandhurst officer cadet evaluation. > "Securing an environment of Windows platforms from abuse - external or > internal - is akin to trying to install sprinklers in a fireworks > factory where smoking on the job is permitted." -- Gene Spafford > learn french: http://www.youtube.com/watch?v=j1G-3laJJP0&feature=related > > -- http://www.felipe-alfaro.org/blog/disclaimer/
