> Our vendor promotes their firewall (DEC SEAL) by saying that it doesn't let
> any private network addresses out onto the Internet.
Right idea, wrong explanation. Not that I know much about SEAL,
of course, but I'll try... :)
> But if insode adddresses were leaked out, how would security be lessened? I
> don't think there's a way to break in by knowing the internal network address.
The reason firewalls like SEAL or Gauntlet or other firewalls that
"don't leak any private network addresses onto the Internet" are believed
to be more secure is because in order for them to work that way, they
aren't directly routing any traffic between the Internet and the
protected network. In other words, the security doesn't come from
obscurity - it comes from the fact that the firewall acts as a total
packet blockade. The firewall is then the only machine that can be
reached from the Internet, and is a single point of attack. A single
point of attack means a single point of defense; you can nail the
firewall down as tightly as you can and not worry about someone
somehow managing to skip a packet through to some undefended machine
on the inside, somehow.
mjr.
References:
|
|
