[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Ok; let's have the "Does DNAT contribute to Security" argument one more time...

Subject: Ok; let's have the "Does DNAT contribute to Security" argument one more time...
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu)
Date: Mon, 14 Nov 2011 16:10:32 -0500
In-reply-to: Your message of "Mon, 14 Nov 2011 15:55:14 EST." <[email protected]>
References: <[email protected]>

On Mon, 14 Nov 2011 15:55:14 EST, Jay Ashworth said:

> On the other hand, since a firewall's job is to stop packets you don't want,

One of Marcus Ranum's "5 Stupidest Security Blunders" - "enumerating badness".
A firewall's job isn't to stop unwanted packets, it's to pass only wanted packets.

> if it stops doing it's just as a firewall, it's likely to keep on doing it's
> other job: passing packets.

As a result, a firewall that fails open rather than closed is mis-designed.

And if you're deploying a firewall and don't know if the failure mode is open or
closed, you probably get what you deserve when it fails.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20111114/f2664b3b/attachment.bin>

Follow-Ups:
- Ok; let's have the "Does DNAT contribute to Security" argument one more time...
  - From: jra at baylink.com (Jay Ashworth)

References:
- Ok; let's have the "Does DNAT contribute to Security" argument one more time...
  - From: jra at baylink.com (Jay Ashworth)

Prev by Date: Ok; let's have the "Does DNAT contribute to Security" argument one more time...
Next by Date: Ok; let's have the "Does DNAT contribute to Security" argument one more time...
Previous by thread: Ok; let's have the "Does DNAT contribute to Security" argument one more time...
Next by thread: Ok; let's have the "Does DNAT contribute to Security" argument one more time...
Index(es):
- Date
- Thread