On Wed, 21 Apr 2010 14:24:37 -0400 William Herrin <b...@herrin.us> wrote:
> On Tue, Apr 20, 2010 at 9:34 PM, Karl Auer <ka...@biplane.com.au> wrote: > > On Tue, 2010-04-20 at 12:59 -0700, Owen DeLong wrote: > >> On Apr 20, 2010, at 12:31 PM, Roger Marquis wrote: > >> > NAT _always_ fails-closed > >> Stateful Inspection can be implemented fail-closed. > > > > Not to take issue with either statement in particular, but I think there > > needs to be some consideration of what "fail" means. > > Fail means that an inexperienced admin drops a router in place of the > firewall to work around a priority problem while the senior engineer > is on vacation. With NAT protecting unroutable addresses, that failure > mode fails closed. > Fail is expecting a low level staff member, who doesn't know better, to substitute for a senior one, who does. Would you also let a helpdesk teamleader (low level, relatively inexperienced management position) take over the CEO's job if the CEO was available and there was a business crisis? A medical student take over from a doctor in an emergency ward? > Regards, > Bill Herrin > > > > -- > William D. Herrin ................ her...@dirtside.com b...@herrin.us > 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> > Falls Church, VA 22042-3004 >