[BBLISA] Limoncelli Article "Firewall is a Bridge"

Daniel Feenberg feenberg at nber.org
Mon Jul 18 10:48:02 EDT 2016 


On Mon, 18 Jul 2016, John Stoffel wrote:

>>>>>> "Edward" == Edward Ned Harvey (bblisa4) <bblisa4 at nedharvey.com> writes:
>
>>> From: bblisa [mailto:bblisa-bounces at bblisa.org] On Behalf Of Daniel
>>> Feenberg
>>>
>>> We'd like to isolate a few machines from the rest of our LAN without
>>> renumbering them into a subnet.
>
> Edward> I don't envy the IT person or newhire who inherits this
> Edward> environment someday. I'm sorry my comment isn't constructively
> Edward> adding to the direction you want to go - you're probably very
> Edward> smart and have thought this through, and considered all the
> Edward> pros and cons, and have good management (or you are yourself,
> Edward> management)... And I'm sorry that this email will probably
> Edward> spark a debate about whether you should or should-not, and all
> Edward> the reasons why, which will distract from the answer that you
> Edward> actually want. That being said, it is almost never a good
> Edward> management decision to do "tricks" and configure systems in
> Edward> weird, uncommon, nonstandard ways that will be surprising or
> Edward> confusing to new future people, or just a later version of
> Edward> yourself, who forgot you previously did something weird. If I
> Edward> were manager there, it would require a *very* compelling
> Edward> reason to convince me this should be done.
>
> Hear hear!  If you have machines you don't trust, why can't you
> re-number them?

We have been asked to isolate a small subset of machines. Renumbering 
everything else to isolate a few seemed infelicitous.

> Or even put them behind a NAT/Firewall that exposes
> the original IPs for these hosts, but locks things down that way?

That is what we would like to do. As I understand it using an ordinary 
bridge the original IPs to be exposed would have to be in a subnet, which 
they are not. Nor do we have the IP space available to make a new subnet 
for them. Hence the interest in a transparent bridge. But if we can use 
NAT for this purpose, we are interested.

daniel feenberg
NBER


>
> _______________________________________________
> bblisa mailing list
> bblisa at bblisa.org
> http://www.bblisa.org/mailman/listinfo/bblisa
>

More information about the bblisa mailing list