On Wed, 21 Apr 2010 14:24:37 -0400 William Herrin <bill@herrin.us> wrote:
On Tue, Apr 20, 2010 at 9:34 PM, Karl Auer <kauer@biplane.com.au> wrote:
On Tue, 2010-04-20 at 12:59 -0700, Owen DeLong wrote:
On Apr 20, 2010, at 12:31 PM, Roger Marquis wrote:
NAT _always_ fails-closed Stateful Inspection can be implemented fail-closed.
Not to take issue with either statement in particular, but I think there needs to be some consideration of what "fail" means.
Fail means that an inexperienced admin drops a router in place of the firewall to work around a priority problem while the senior engineer is on vacation. With NAT protecting unroutable addresses, that failure mode fails closed.
Fail is expecting a low level staff member, who doesn't know better, to substitute for a senior one, who does. Would you also let a helpdesk teamleader (low level, relatively inexperienced management position) take over the CEO's job if the CEO was available and there was a business crisis? A medical student take over from a doctor in an emergency ward?
Regards, Bill Herrin
-- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004