more on IPv6 Forum chief: the new Internet is ready for consumption

[David Farber <dave () farber net>]

Begin forwarded message:

From: Bill Williamson <batkiwi () happychinchilla com>
Date: November 28, 2005 5:52:33 PM EST
To: thomas () thomasleavitt org
Cc: dave () farber net
Subject: Re: [IP] more on IPv6 Forum chief: the new Internet is ready  
for consumption

> > From: Thomas Leavitt <thomas () thomasleavitt org>
> > Subject: Re: [Dewayne-Net] IPv6 Forum chief: the new Internet is
> > ready for consumption
> >
> > The other day, some twit hit a http server I administer with no less
> > than 6,500 separate exploit attempts (before I blocked the attack) -
> > friggin' amazing (and kind of scary). The network I'm on gets
> > literally
> > hundreds of automated penetration attempts daily.
> >
> > I don't want my desktop, or my wife's desktop, or my printer, or
> > anything else on my local network sitting on the open internet -
**SNIP**
> > If I'm missing something here, and I probably am, maybe someone
> > else on
> > the list can fill me in...


Thomas, I don't know anything about your background, so I'll assume it's
not a strong networking one.

What you're missing is the difference between a router and a firewall.
SOHO NAT device companies purposefully blur this distinction, since  
you do
in essence get a "free" firewall by the very nature of NAT, but they  
have
done the general networking community a large disservice.  You can  
have a
firewall even without doing NAT, and in fact limited access, single
directional firewalls are MUCH older than the NAT devices you are  
used to
using.

To keep it short:  Just because something has a publicly routable IP
address does not mean that it is publicly accessable.  When  
everything is
IPv6, you will replace your NAT/router/modem/etc device with a much
simpler IPv6 firewall device (which already exists if you're willing to
run third party firmware on the Linksys WRT54G dave mentioned a few  
weeks
ago).  This device will, just as your NAT router does today, only allow
outgoing packets and responses to existing sessions (eg allow the HTTP
server you just contacted to send a response back to your laptop).  IPv6
will give you the OPTION of just plugging directly into the internet,  
but
that does not mean you will have to!

MANY companies, especially older ones with older contracts which give  
them
"real" IPs, already operate with this type of environment with IPv4.   
This
is why firewalls have existed long before NAT was designed or became
commonplace.

--Bill


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/