Thoughts on how I could improve my network security?

coliver

@beta https://mangolassi.it/user/beta/topics

scottalanmiller

@beta said in Thoughts on how I could improve my network security?:

NSS Labs

I lack any real opinion either way, I'm afraid. But rating Fortinet highly in anything is.... concerning.

dave247

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dave247 said in Thoughts on how I could improve my network security?:

Second, a router is always a firewall, the two are always the same thing, have been for decades.

I still can't believe you said this... really makes it clear that you aren't playing with a full deck of cards.

scottalanmiller

@dave247 said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dave247 said in Thoughts on how I could improve my network security?:

Second, a router is always a firewall, the two are always the same thing, have been for decades.

I still can't believe you said this... really makes it clear that you aren't playing with a full deck of cards.

Why? It's 100% true. Can you find any router that isn't a firewall or any firewall that isn't a router? While they are different aspects of the same device, they are the same device. No non-firewall router has been made since the 1990s. And while some firewalls allow you to disable routing functions to become a bridging firewall, I know of no firewall where the L3 routing can't be unabled again.

This is considered basic networking knowledge. It's only in the last year or so that people have started this new myth that there is something else that is a firewall.

scottalanmiller

@dave247 said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dave247 said in Thoughts on how I could improve my network security?:

Second, a router is always a firewall, the two are always the same thing, have been for decades.

I still can't believe you said this... really makes it clear that you aren't playing with a full deck of cards.

If you think that they are different, explain how. Or show an example of some at least. Instead of saying I'm crazy, explain what you mean as you aren't presenting information, just claiming that basic industry common knowledge is wrong. If the whole industry is wrong, what do you know that we don't? Attacking the person, and not the argument, is the greatest sign of agreement - just tends to indicate that you know it is true but dislike that that is the truth.

scottalanmiller

Perhaps you are thinking that host based firewalls are clearly not on routers, so are some exception to the rule, and I can see where that might be confusing. Host based firewalls, like the ones that run on Windows or Linux, are on end points. However, what's important there, is that all operating systems, including Windows desktops, are routers as well and if you turn on their routing functions will operate as traditional router / firewall combos. It is only that we turn that off and put the firewall into bridging mode by default that it doesn't act this way most of the time. But your desktop has all of the router functionality in it, just as it has all firewall functionality in it. It's just normally turned off. But it holds to the model that the inclusion of firewall functionality always means that routing is an option.

Basically you can think of it like this: All routers are firewalls, there is no router made that isn't (handling NAT alone guarantees this no matter what). And all firewalls have the option of routing.

dave247

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dave247 said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dave247 said in Thoughts on how I could improve my network security?:

Second, a router is always a firewall, the two are always the same thing, have been for decades.

I still can't believe you said this... really makes it clear that you aren't playing with a full deck of cards.

If you think that they are different, explain how. Or show an example of some at least. Instead of saying I'm crazy, explain what you mean as you aren't presenting information, just claiming that basic industry common knowledge is wrong. If the whole industry is wrong, what do you know that we don't? Attacking the person, and not the argument, is the greatest sign of agreement - just tends to indicate that you know it is true but dislike that that is the truth.

Well based on what you originally said, you were claiming a firewall and a router were the "same thing". You literally said that. They aren't the same thing because they are two different systems that do two different things. Routers route packets between different networks and firewalls allow or deny traffic based on specified rules. Pretty simple and I'm sure you already actually know that.

My point is that while they might always go together in the same piece of equipment, they really aren't the "same thing". You're going to confuse people by telling them they are the same thing and I think that's secretly your intent.

scottalanmiller

@dave247 said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dave247 said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dave247 said in Thoughts on how I could improve my network security?:

Second, a router is always a firewall, the two are always the same thing, have been for decades.

I still can't believe you said this... really makes it clear that you aren't playing with a full deck of cards.

If you think that they are different, explain how. Or show an example of some at least. Instead of saying I'm crazy, explain what you mean as you aren't presenting information, just claiming that basic industry common knowledge is wrong. If the whole industry is wrong, what do you know that we don't? Attacking the person, and not the argument, is the greatest sign of agreement - just tends to indicate that you know it is true but dislike that that is the truth.

Well based on what you originally said, you were claiming a firewall and a router were the "same thing". You literally said that. They aren't the same thing because they are two different systems that do two different things. Routers route packets between different networks and firewalls allow or deny traffic based on specified rules. Pretty simple and I'm sure you already actually know that.

My point is that while they might always go together in the same piece of equipment, they really aren't the "same thing". You're going to confuse people by telling them they are the same thing and I think that's secretly your intent.

Here is the original quote you are referring to: "Second, a router is always a firewall, the two are always the same thing, have been for decades. The idea that you even CAN separate the router and firewall is silly, while it's possible no separate devices have been on the market since the late 1990s."

This looks nothing like what you claim that I said. In the original quote I was extremely clear in explaining exactly what you claim I was trying to make confusing. I point out even that you CAN separate them, but no one has done so. And that they've been the same thing [devices] for a long time, but not always.

How am I confusing someone like this? And with this level of explanation, how can you honestly claim that you think I'm trying to mislead someone when I took the time to make it so obvious that they were separate, but always combined?

Obsolesce

@dave247 A router is simply a hardware firewall.

dave247

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dave247 said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dave247 said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dave247 said in Thoughts on how I could improve my network security?:

Second, a router is always a firewall, the two are always the same thing, have been for decades.

I still can't believe you said this... really makes it clear that you aren't playing with a full deck of cards.

If you think that they are different, explain how. Or show an example of some at least. Instead of saying I'm crazy, explain what you mean as you aren't presenting information, just claiming that basic industry common knowledge is wrong. If the whole industry is wrong, what do you know that we don't? Attacking the person, and not the argument, is the greatest sign of agreement - just tends to indicate that you know it is true but dislike that that is the truth.

Well based on what you originally said, you were claiming a firewall and a router were the "same thing". You literally said that. They aren't the same thing because they are two different systems that do two different things. Routers route packets between different networks and firewalls allow or deny traffic based on specified rules. Pretty simple and I'm sure you already actually know that.

My point is that while they might always go together in the same piece of equipment, they really aren't the "same thing". You're going to confuse people by telling them they are the same thing and I think that's secretly your intent.

Here is the original quote you are referring to: "Second, a router is always a firewall, the two are always the same thing, have been for decades. The idea that you even CAN separate the router and firewall is silly, while it's possible no separate devices have been on the market since the late 1990s."

This looks nothing like what you claim that I said. In the original quote I was extremely clear in explaining exactly what you claim I was trying to make confusing. I point out even that you CAN separate them, but no one has done so. And that they've been the same thing [devices] for a long time, but not always.

How am I confusing someone like this? And with this level of explanation, how can you honestly claim that you think I'm trying to mislead someone when I took the time to make it so obvious that they were separate, but always combined?

Look. Really all I'm trying to say is that you should have maybe phrased it as "a router and a firewall always go together", because saying they are the same thing is a very gross over-simplification. It would be like saying the engine in a car is the same thing as the transmission. They always go together, but they are not the same thing. You said they were the same thing, I am saying they are not. I am saying they are not the same thing, because that is the correct thing to say to somebody who says they are the same thing. You can dance around it all you want with your paragraphs of words, but the fact of the matter is you were incorrect, at least in how you described it, and you should just accept that.

dave247

@tim_g said in Thoughts on how I could improve my network security?:

@dave247 A router is simply a hardware firewall.

No, that is not correct. It is a gross over-simplification. Routing and firewalling functions are two completely different roles. Yes, routers almost always come with a firewall, but they are absolutely not the same thing.

dave247

Ok, here is another example of what I am trying to express here:

At work, I have a bunch of Dell PowerConnect switches - 5500 and N3000 series. These are referred to and sold as switches. However, they provide multi-layer functions, beyond just L2 switching. Some of the functions they provide are: switching, routing, DHCP server. Does that mean I can refer to this switch as a router instead of a switch? How about if I start calling the switch a server? I wouldn't, because it's not correct. If I said that a switch and router are the same thing, people would be quick to correct me because they are not the same thing.

scottalanmiller

@dave247 said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dave247 said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dave247 said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dave247 said in Thoughts on how I could improve my network security?:

Second, a router is always a firewall, the two are always the same thing, have been for decades.

I still can't believe you said this... really makes it clear that you aren't playing with a full deck of cards.

If you think that they are different, explain how. Or show an example of some at least. Instead of saying I'm crazy, explain what you mean as you aren't presenting information, just claiming that basic industry common knowledge is wrong. If the whole industry is wrong, what do you know that we don't? Attacking the person, and not the argument, is the greatest sign of agreement - just tends to indicate that you know it is true but dislike that that is the truth.

Well based on what you originally said, you were claiming a firewall and a router were the "same thing". You literally said that. They aren't the same thing because they are two different systems that do two different things. Routers route packets between different networks and firewalls allow or deny traffic based on specified rules. Pretty simple and I'm sure you already actually know that.

My point is that while they might always go together in the same piece of equipment, they really aren't the "same thing". You're going to confuse people by telling them they are the same thing and I think that's secretly your intent.

Here is the original quote you are referring to: "Second, a router is always a firewall, the two are always the same thing, have been for decades. The idea that you even CAN separate the router and firewall is silly, while it's possible no separate devices have been on the market since the late 1990s."

This looks nothing like what you claim that I said. In the original quote I was extremely clear in explaining exactly what you claim I was trying to make confusing. I point out even that you CAN separate them, but no one has done so. And that they've been the same thing [devices] for a long time, but not always.

How am I confusing someone like this? And with this level of explanation, how can you honestly claim that you think I'm trying to mislead someone when I took the time to make it so obvious that they were separate, but always combined?

Look. Really all I'm trying to say is that you should have maybe phrased it as "a router and a firewall always go together", because saying they are the same thing is a very gross over-simplification. It would be like saying the engine in a car is the same thing as the transmission. They always go together, but they are not the same thing. You said they were the same thing, I am saying they are not. I am saying they are not the same thing, because that is the correct thing to say to somebody who says they are the same thing. You can dance around it all you want with your paragraphs of words, but the fact of the matter is you were incorrect, at least in how you described it, and you should just accept that.

But I didn't say that. I said that they are always together and made it clear that they were separate, but always together. I wasn't incorrect, I was completely correct.

Calling two sentances a "paragraph of words" and describing facts as "dancing around" doesn't change the fact that I said one thing, and you claimed another. Call it what you will, but what I said was correct, factual, useful, and anything but misleading as you try to portray it. It was correct, useful, and helpful to someone who would be unclear as to the meaning.

scottalanmiller

@dave247 said in Thoughts on how I could improve my network security?:

Ok, here is another example of what I am trying to express here:

At work, I have a bunch of Dell PowerConnect switches - 5500 and N3000 series. These are referred to and sold as switches. However, they provide multi-layer functions, beyond just L2 switching. Some of the functions they provide are: switching, routing, DHCP server. Does that mean I can refer to this switch as a router instead of a switch?

Of course you can call it a router. An L3 Switch is just a marketing term for a multi-port router. That's what they used to be called, L3 switch is okay but not the original term. They are absolutely routers, and firewalls as well.

scottalanmiller

@dave247 said in Thoughts on how I could improve my network security?:

If I said that a switch and router are the same thing, people would be quick to correct me because they are not the same thing.

But an L3 switch and a router ARE the same things. This is a not even like the router and firewall piece where it is two parts of the same device that always get merged even when the functionality isn't technically synonymous. But L3 Switch and Router are literally two words for the same thing.

Even the general term "switch" is just short for "multi-port bridge." There was a time when we had both L2 and L3 switches, but the term switch didn't exist yet.

scottalanmiller

@dave247 said in Thoughts on how I could improve my network security?:

How about if I start calling the switch a server? I wouldn't, because it's not correct.

Depends on the implication. It's not a general purpose server, which is what most people use that term to mean. But is it a DHCP server? Absolutely.

scottalanmiller

There are places where router and firewall merge and can't be pulled apart - and that is NAT. A NAT translation is assumed to be part of the routing functions, but is a firewall. NAT literally makes the router and the firewall be the same component and function. Of course, in theory, you can have a router that doesn't do NAT, but in the real world, no one has made one since the early 1990s, and maybe not even then.

Obsolesce

@scottalanmiller said in Thoughts on how I could improve my network security?:

There are places where router and firewall merge and can't be pulled apart - and that is NAT. A NAT translation is assumed to be part of the routing functions, but is a firewall. NAT literally makes the router and the firewall be the same component and function. Of course, in theory, you can have a router that doesn't do NAT, but in the real world, no one has made one since the early 1990s, and maybe not even then.

Exactly. When packets reach the NAT and have nowhere to go, they get dropped. That's firewall.

scottalanmiller

@dave247 I totally get your point that in most cases, routers and firewalls are different aspects of the device. And that is good for everyone to understand. But it is also important, I'd say far more important, for everyone to understand that in the real world, and for all utility even in the theoretical world, you can't have a router that isn't a firewall and anything that is a firewall can be a router.

It's less important that people understand that L3 Switches are always routers, but it is the same concept. If someone asks if you have a router in between point A and B and all you have there is an L3 switch, your answer is "yes".

The reason that it is more important that people understand that router always means firewall and firewall always means router (at least optionally) is because there is a new epidemic of people thinking firewall means something totally different and crazy things are being thought now - where people actually think that they have routers that aren't firewalls.

scottalanmiller

The key reason that we state that firewalls and routers are one and the same is because the one thing that is most important is that no one come away thinking that there is a router that isn't a firewall. The terms are literally used interchangeably to the point that you never know what someone means when they say one or the other. There is value to understanding every aspect of how they are different aspects of the same device - but you can't risk someone thinking that you can have a non-firewall router in order to do that. And the problem is, anyone that needs this explained is at risk of that confusion. So being over the top about how much they are one and the same, and downplaying how they are two different aspects, is important because anyone in the position of needing this explained only needs to know that the terms are interchangeable for all intents and purposes. By knowing that, and not knowing that they are different aspects, they are perfectly functional. But if they only learn that they are different aspects, they've not learned the one thing that they need to know.

So to protect people from confusion and not knowing how to protect themselves, we state it in that way. Specifically to avoid confusion where it is most likely, and most dangerous.