Against my better judgment to get in the middle of this classic
discussion, two points...
One, many firewalls have fail-safe capabilities, in addition to fail-secure;
even if they didn't it could be trivially programmed, or configured to
do so in series,
and as configuration is fairly arbitrary t
There are some methods of security that NAT has a good use for. We
use NAT to prevent reachibility. In other words, not only does an ACL
have to allow traffic thru the FW, but a complimenting NAT rule has to
allow the actual layer 3 reachibility. If not, even with the ACL, the
routing path
>
> On the other hand, since a firewall's job is to stop packets you don't want,
> if it stops doing it's just as a firewall, it's likely to keep on doing it's
> other job: passing packets. It certainly depends on the fundamental design
> of the firewall, which I can't speak to generally... but y
On Nov 14, 2011 9:22 PM, wrote:
>
> On Mon, 14 Nov 2011 19:06:13 EST, William Herrin said:
>
> > Using two firewalls in serial from two different vendors doubles the
> > complexity. Yet it almost always improves security: fat fingers on one
> > firewall rarely repeat the same way on the second and
On Mon, 14 Nov 2011 19:06:13 EST, William Herrin said:
> Using two firewalls in serial from two different vendors doubles the
> complexity. Yet it almost always improves security: fat fingers on one
> firewall rarely repeat the same way on the second and a rogue packet
> must pass both.
Fat finge
On Mon, Nov 14, 2011 at 2:55 PM, Jay Ashworth wrote:
> The basic assertion made by proponents of this theory, when analyzed,
> amounts to "the probability that a firewall between a publicly routable
> internal network and the internet will fail in such a fashion as to pass
> packets addressed to
On 11/14/2011 4:21 PM, Rubens Kuhl wrote:
> For the common good it doesn't matter if the "NAT is good" guys are
> right or the "NAT is useless" guys are right, as they both fail to
> decrease the numbers of their opposing parts. We must get IPv6 done
> for both of them.
Hehehe... depending on you
On Mon, Nov 14, 2011 at 6:01 PM, Lyndon Nerenberg wrote:
> But a NAT implementation adds thousands of lines of code to the path the
> packets take, and any time you introduce complexity you decrease the overall
> security of the system. And the complexity extends beyond the NAT box.
> Hacking on
Jay Ashworth wrote:
- Original Message -
From: "Valdis Kletnieks"
On the other hand, since a firewall's job is to stop packets you
don't want,
One of Marcus Ranum's "5 Stupidest Security Blunders" - "enumerating
badness".
A firewall's job isn't to stop unwanted packets, it's to pas
There really is no winner or "right way" on this thread. In IPv4 as a
security guy we have often implemented NAT as an extra layer of obfuscation.
It's worse than just obfuscation. The 'security' side effect of NAT can
typically be implemented by four or five rules in a traditional firewall.
Firewalls and NATs are "warm fuzzy feeling" devices. The best way
to keep secure is to run up to date software and to only provide
services you need.
Firewalls and NAT both inhibit inventions. Both really do very little
with modern operating systems that have been designed to be connected
witho
Le lundi 14 novembre 2011 à 15:43 -0600, -Hammer- a écrit :
> There really is no winner or "right way" on this thread. In IPv4 as a
> security guy we have often implemented NAT as an extra layer of
> obfuscation. In IPv6, that option really isn't there. So it's a cultural
> change for me. I'm no
- Original Message -
> From: "Valdis Kletnieks"
> > On the other hand, since a firewall's job is to stop packets you
> > don't want,
>
> One of Marcus Ranum's "5 Stupidest Security Blunders" - "enumerating
> badness".
> A firewall's job isn't to stop unwanted packets, it's to pass only
>
There really is no winner or "right way" on this thread. In IPv4 as a
security guy we have often implemented NAT as an extra layer of
obfuscation. In IPv6, that option really isn't there. So it's a cultural
change for me. I'm not shedding any tears. We've talked to our FW
vendors about various
For the common good it doesn't matter if the "NAT is good" guys are
right or the "NAT is useless" guys are right, as they both fail to
decrease the numbers of their opposing parts. We must get IPv6 done
for both of them.
It seems that application reverse-proxies can make "NAT is good" guys
happy,
On Mon, 14 Nov 2011 15:55:14 EST, Jay Ashworth said:
> On the other hand, since a firewall's job is to stop packets you don't want,
One of Marcus Ranum's "5 Stupidest Security Blunders" - "enumerating badness".
A firewall's job isn't to stop unwanted packets, it's to pass only wanted
packets.
>
16 matches
Mail list logo
