[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Have they stopped teaching Defense in Depth?
On Wed, Nov 16, 2011 at 11:11 AM, Owen DeLong <owen at delong.com> wrote:
> On Nov 15, 2011, at 2:01 PM, William Herrin wrote:
>> On Tue, Nov 15, 2011 at 4:50 PM, Mark Andrews <marka at isc.org> wrote:
>>> If you want to use unroutable addresses then use a bastion host /
>>> proxy.
>>
>> What is a modern NAT but a bastion host proxy for which application
>> compatibility has been maximized?
>
> It is a mechanism for header mutilation which creates additional costs
> in hardware (cost of routers), software (development of NAT traversal
> code in various applications, NAT software in some cases), security
> (NAT obfuscates audit trails and increases the difficulty and cost of
> event correlation, forensics, abuser identification, and attack source
> identification and mitigation, etc.).
In other words, all of the things a proxy does but without sacrificing
as many applications.
-Bill
--
William D. Herrin ................ herrin at dirtside.com? bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004