On Mar 24, 2014, at 9:20 AM, William Herrin <b...@herrin.us> wrote: > On Mon, Mar 24, 2014 at 3:00 AM, Karl Auer <ka...@biplane.com.au> wrote: >> Addressable is not the same as >> accessible; routable is not the same as routed. > > Indeed. However, all successful security is about _defense in depth_. > If it is inaccessible, unrouted, unroutable and unaddressable then you > have four layers of security. If it is merely inaccessible and > unrouted you have two.
That is, frankly, so gross an oversimplification as to be not only misleading, but outright inaccurate in many cases. When considering defense in depth, layer thickness counts as much or more than number of layers. unroutable and unaddressable (which NAT and RFC-1918 arguably don’t actually provide in reality) are roughly equivalent to a slide-lock on a screen door in front of a stateful inspection bank vault door in front of an unrouted iron-bar day-door inside the vault. I would argue that the value added by the screen door and its associated slide lock is near zero in the total equation. Further, since the reality is that NAT and RFC-1918 can be exploited by the attackers to help hide their identity and obscure their activities, they are actually not added depth, but in fact erode the actual security. Further, since it is such a widely held misperception that they provide security, there’s probably a certain amount of negative impact due to the complacency and lack of vigilance that creates as well. Owen
