On Mon, Mar 24, 2014 at 9:25 AM, Joe Greco <jgr...@ns.sol.net> wrote: >> I say this with the utmost respect, but you must understand the >> principle of defense in depth in order to make competent security >> decisions for your organization. Smart people disagree on the details >> but the principle is not only iron clad, it applies to all forms of >> security, not just IP network security. > > The problem here is that what's actually going on is that you're now > enshrining as a "security" device a hacky, ill-conceived workaround > for a lack of flexibility/space/etc in IPv4. NAT was not designed > to act as a security feature.
Hi Joe, That would be one of those "details" on which smart people disagree. In this case, I think you're wrong. Modern NAT superseded the transparent proxies and bastion hosts of the '90s because it does the same security job a little more smoothly. And proxies WERE designed to act as a security feature. >> You'd expect folks to give up two layers of security at exactly the >> same time as they're absorbing a new network protocol with which >> they're yet unskilled? Does that make sense to you from a >> risk-management standpoint? > > Actually, yes, it does. Using the product as intended is substantially > less risky than trying to figure out how to use some sort of proxy or > gateway functionality to emulate NAT, and then screwing that up. What sort of traction are you getting from that argument when you speak with enterprise security folks? Regards, Bill Herrin -- William D. Herrin ................ her...@dirtside.com b...@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
