[BBLISA] Limoncelli Article "Firewall is a Bridge"
Bob Webber
webber at panix.com
Tue Jul 19 15:46:45 EDT 2016
First, reading through Tom Limoncelli’s article, I note several places where Tom says, “It’s probably not worth the effort to do this for a couple of servers,” or words to that effect. Tom’s article is promoting a mechanism provided by Lucent network gear while he worked at Lucent and had an opportunity to experiment with it. I’m probably one of the few fans of this idea you’ll find on this list, and I’ve never found a real justification for trying it.
As I recall, Juniper SRX devices are able to work in “transparent mode” (i.e. as a bridge) and I’d be surprised if security devices from Cisco, etc., could not do this. As dsr noted, you can also do it with open software. Probably a good idea to dedicate a couple of Linux boxes to this job in case you need updates and patches to maintain ebtables that you don’t want on other hosts.
While you can do many things with NATted addresses, especially since many protocols have been extended to allow for the nasty kludge of Firewallism. Depending on your reasons for maintaining your existing IP addresses on those servers as they are, you could end up in a world of pain.
Unless you absolutely cannot stand to ever have an Ethernet frame from a bad host touch be seen by the kernels of the special servers, maybe run iptables on the special servers to restrict traffic to the special servers? If they are Well Known as special, this should ease the ongoing maintenance load.
If you want a way to do this that’s REALLY crazy and unmaintainable, try using locked down ARP tables on your servers, with the IP to Ethernet mappings configured by Chef.
Bob
> On Jul 18, 2016, at 10:48 AM, Daniel Feenberg <feenberg at nber.org> wrote:
>
>
>
> On Mon, 18 Jul 2016, John Stoffel wrote:
>
>>>>>>> "Edward" == Edward Ned Harvey (bblisa4) <bblisa4 at nedharvey.com> writes:
>>
>>>> From: bblisa [mailto:bblisa-bounces at bblisa.org] On Behalf Of Daniel
>>>> Feenberg
>>>>
>>>> We'd like to isolate a few machines from the rest of our LAN without
>>>> renumbering them into a subnet.
>>
>> Edward> I don't envy the IT person or newhire who inherits this
>> Edward> environment someday. I'm sorry my comment isn't constructively
>> Edward> adding to the direction you want to go - you're probably very
>> Edward> smart and have thought this through, and considered all the
>> Edward> pros and cons, and have good management (or you are yourself,
>> Edward> management)... And I'm sorry that this email will probably
>> Edward> spark a debate about whether you should or should-not, and all
>> Edward> the reasons why, which will distract from the answer that you
>> Edward> actually want. That being said, it is almost never a good
>> Edward> management decision to do "tricks" and configure systems in
>> Edward> weird, uncommon, nonstandard ways that will be surprising or
>> Edward> confusing to new future people, or just a later version of
>> Edward> yourself, who forgot you previously did something weird. If I
>> Edward> were manager there, it would require a *very* compelling
>> Edward> reason to convince me this should be done.
>>
>> Hear hear! If you have machines you don't trust, why can't you
>> re-number them?
>
> We have been asked to isolate a small subset of machines. Renumbering everything else to isolate a few seemed infelicitous.
>
>> Or even put them behind a NAT/Firewall that exposes
>> the original IPs for these hosts, but locks things down that way?
>
> That is what we would like to do. As I understand it using an ordinary bridge the original IPs to be exposed would have to be in a subnet, which they are not. Nor do we have the IP space available to make a new subnet for them. Hence the interest in a transparent bridge. But if we can use NAT for this purpose, we are interested.
>
> daniel feenberg
> NBER
>
>
>>
>> _______________________________________________
>> bblisa mailing list
>> bblisa at bblisa.org
>> http://www.bblisa.org/mailman/listinfo/bblisa
>>
>
> _______________________________________________
> bblisa mailing list
> bblisa at bblisa.org
> http://www.bblisa.org/mailman/listinfo/bblisa
More information about the bblisa
mailing list