On Mon, Mar 24, 2014 at 9:25 AM, Joe Greco <jgreco@ns.sol.net> wrote:
I say this with the utmost respect, but you must understand the principle of defense in depth in order to make competent security decisions for your organization. Smart people disagree on the details but the principle is not only iron clad, it applies to all forms of security, not just IP network security.
The problem here is that what's actually going on is that you're now enshrining as a "security" device a hacky, ill-conceived workaround for a lack of flexibility/space/etc in IPv4. NAT was not designed to act as a security feature.
Hi Joe, That would be one of those "details" on which smart people disagree. In this case, I think you're wrong. Modern NAT superseded the transparent proxies and bastion hosts of the '90s because it does the same security job a little more smoothly. And proxies WERE designed to act as a security feature.
You'd expect folks to give up two layers of security at exactly the same time as they're absorbing a new network protocol with which they're yet unskilled? Does that make sense to you from a risk-management standpoint?
Actually, yes, it does. Using the product as intended is substantially less risky than trying to figure out how to use some sort of proxy or gateway functionality to emulate NAT, and then screwing that up.
What sort of traction are you getting from that argument when you speak with enterprise security folks? Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004