Firewalls: Re: sex, lies, and firewall code

Firewalls
(October 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: sex, lies, and firewall code
From:	Peter da Silva <peter @ baileynm . com>
Date:	Mon, 20 Oct 1997 17:39:45 -0500 (CDT)
To:	craig . wright @ asx . com . au (Craig S. Wright)
Cc:	joej @ joesmac . ultranet . com, peter @ baileynm . com, rick @ paimail . com, firewalls @ GreatCircle . COM
In-reply-to:	<01BCDDEE . A3D2D6F0 @ aragon> from "Craig S. Wright" at Oct 21, 97 06:57:46 am

> 	Skip does not function very well with a plug gateway. Any encryption =
> schema using IP header information fails when either NAT or a proxy =
> changes the header.=20

That's true. Security and convenience are often contraindicated. If you
let people do clever things with IP headers the results can be good or
bad. Personally, I think that having IP addresses as part of your security
is dangerous.

> 	Plugs do not cover round robin DNS functionality for web servers.

Sure they do. You can bind different plugs to different IP addresses on the
outside.  It's hard to do with plug-gw but my plugdaemon handles it... and
it also has the ability to do round-robin itself.

> The skill comes in securing the connection with as little loss of =
> functionality as is possible.

The skill comes in satisfying the business needs without abandoning any
more security than is necessary.

References:

RE: sex, lies, and firewall code
From: "Craig S. Wright" <craig . wright @ asx . com . au>

Indexed By Date	Previous:	Re: sex, lies, and firewall code From: Joe Judge <joej @ ultranet . com>
Indexed By Date	Next:	FWTK-TIS on Linux 2.0.0 From: Edierley Batista Messias <ebm @ dcc . fua . br>
Indexed By Thread	Previous:	RE: sex, lies, and firewall code From: "Craig S. Wright" <craig . wright @ asx . com . au>
Indexed By Thread	Next:	RE: sex, lies, and firewall code From: Rick Murphy <rick @ paimail . com>