[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Ok; let's have the "Does DNAT contribute to Security" argument one more time...
- Subject: Ok; let's have the "Does DNAT contribute to Security" argument one more time...
- From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu)
- Date: Tue, 15 Nov 2011 00:21:25 -0500
- In-reply-to: Your message of "Mon, 14 Nov 2011 19:06:13 EST." <CAP-guGX__gLuAcH=CniRf21OaApSmq7xKWRYzKwxJg9ChKZoig@mail.gmail.com>
- References: <[email protected]> <[email protected]> <[email protected]> <CAP-guGX__gLuAcH=CniRf21OaApSmq7xKWRYzKwxJg9ChKZoig@mail.gmail.com>
On Mon, 14 Nov 2011 19:06:13 EST, William Herrin said:
> Using two firewalls in serial from two different vendors doubles the
> complexity. Yet it almost always improves security: fat fingers on one
> firewall rarely repeat the same way on the second and a rogue packet
> must pass both.
Fat fingers are actually not the biggest issue - a far bigger problem are brain
failures. If you thought opening port 197 was a good idea, you will have done
it on both firewalls. And it doesn't even help to run automated config
checkers - because you'll have marked port 197 as "good" in there as well. ;)
And it doesn't even help with fat-finger issues anyhow, because you *know* that
if your firewall admin is any good, they'll just write a script that loads both
firewalls from a master config file - and then proceed to fat-finger said
config file.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20111115/9f2f1a57/attachment.bin>