nanog mailing list archives

Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time...

From: Valdis.Kletnieks () vt edu
Date: Tue, 15 Nov 2011 00:21:25 -0500

On Mon, 14 Nov 2011 19:06:13 EST, William Herrin said:

Using two firewalls in serial from two different vendors doubles the
complexity. Yet it almost always improves security: fat fingers on one
firewall rarely repeat the same way on the second and a rogue packet
must pass both.


Fat fingers are actually not the biggest issue - a far bigger problem are brain
failures.  If you thought opening port 197 was a good idea, you will have done
it on both firewalls.  And it doesn't even help to run automated config
checkers - because you'll have marked port 197 as "good" in there as well. ;)

And it doesn't even help with fat-finger issues anyhow, because you *know* that
if your firewall admin is any good, they'll just write a script that loads both
firewalls from a master config file - and then proceed to fat-finger said
config file.

Attachment: _bin
Description:

Current thread:

Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time..., (continued)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Valdis . Kletnieks (Nov 14)
  - Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Jay Ashworth (Nov 14)
    - Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Michael Painter (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Rubens Kuhl (Nov 14)
  - Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Jeff Kell (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... -Hammer- (Nov 14)
  - Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Michael Hallgren (Nov 14)
  - Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Mark Andrews (Nov 14)
  - Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Lyndon Nerenberg (Nov 14)
    - Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... William Herrin (Nov 14)
    - Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Valdis . Kletnieks (Nov 14)
    - Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Cameron Byrne (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Jimmy Hess (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Owen DeLong (Nov 15)
  - Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... -Hammer- (Nov 15)
  - Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Charles Morris (Nov 15)