[BBLISA] Limoncelli Article "Firewall is a Bridge"

[John Stoffel]

>>>>> "Edward" == Edward Ned Harvey (bblisa4) <bblisa4 at nedharvey.com> writes:

>> From: bblisa [mailto:bblisa-bounces at bblisa.org] On Behalf Of Daniel
>> Feenberg
>> 
>> We'd like to isolate a few machines from the rest of our LAN without
>> renumbering them into a subnet.

Edward> I don't envy the IT person or newhire who inherits this
Edward> environment someday. I'm sorry my comment isn't constructively
Edward> adding to the direction you want to go - you're probably very
Edward> smart and have thought this through, and considered all the
Edward> pros and cons, and have good management (or you are yourself,
Edward> management)... And I'm sorry that this email will probably
Edward> spark a debate about whether you should or should-not, and all
Edward> the reasons why, which will distract from the answer that you
Edward> actually want. That being said, it is almost never a good
Edward> management decision to do "tricks" and configure systems in
Edward> weird, uncommon, nonstandard ways that will be surprising or
Edward> confusing to new future people, or just a later version of
Edward> yourself, who forgot you previously did something weird. If I
Edward> were manager there, it would require a *very* compelling
Edward> reason to convince me this should be done.

Hear hear!  If you have machines you don't trust, why can't you
re-number them?  Or even put them behind a NAT/Firewall that exposes
the original IPs for these hosts, but locks things down that way?