nanog mailing list archives
Re: Arguing against using public IP space
From: Leigh Porter <leigh.porter () ukbroadband com>
Date: Tue, 15 Nov 2011 17:14:44 +0000
On 15 Nov 2011, at 15:36, "Owen DeLong" <owen () delong com> wrote:
On Nov 15, 2011, at 2:57 AM, Leigh Porter wrote:On 14 Nov 2011, at 18:52, "McCall, Gabriel" <Gabriel.McCall () thyssenkrupp com> wrote:Chuck, you're right that this should not happen- but the reason it should not happen is because you have a properly functioning stateful firewall, not because you're using NAT. If your firewall is working properly, then having public addresses behind it is no less secure than private. And if your firewall is not working properly, then having private addresses behind it is no more secure than public. In either case, NAT gains you nothing over what you'd have with a firewalled public-address subnet.Well this is not quite true, is it.. If your firewall is not working and you have private space internally then you are a lot better off then if you have public space internally! So if your firewall is not working then having private space on one side is a hell of a lot more secure!This is not true. If your firewall is not working, it should not be passing packets.
And of course, things always fail just the way we want them to.
If you put a router where you needed a firewall, then, this is not a failure of the firewall, but, a failure of the network implementor and the address space will not have any impact whatsoever on your lack of security.
This is not really a well made point, sorry. It's about a firewall failing, perhaps due to software error or hardware issue or because somebody failed to correctly configure a firewall rule. The point about private space is that is forces security in a way in which public space and a firewall does not. With private space, you are forces to explicitly configure NAT holes or VPN connections whereas with public space your boxes by default are accessible by the whole Internet. By default, on a private space network, nothing can get to it.
As somebody else mentioned on this thread, a NAT box with private space on one side fails closed.So does a firewall.
If it fails just how you want it to. -- Leigh ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
Current thread:
- Re: Arguing against using public IP space, (continued)
- Re: Arguing against using public IP space Valdis . Kletnieks (Nov 15)
- Re: Arguing against using public IP space Jay Ashworth (Nov 15)
- Re: Arguing against using public IP space Owen DeLong (Nov 15)
- Re: Arguing against using public IP space Joe Greco (Nov 15)
- Re: Arguing against using public IP space Owen DeLong (Nov 15)
- Re: Arguing against using public IP space Joe Greco (Nov 15)
- Re: Arguing against using public IP space david raistrick (Nov 15)
- Re: Arguing against using public IP space Joe Greco (Nov 15)
- Re: Arguing against using public IP space Jay Ashworth (Nov 15)
- Re: Arguing against using public IP space Joe Greco (Nov 15)
- Re: Arguing against using public IP space Leigh Porter (Nov 15)
- Re: Arguing against using public IP space Owen DeLong (Nov 15)
- Re: Arguing against using public IP space Jay Ashworth (Nov 15)
- Re: Arguing against using public IP space Mark Andrews (Nov 15)
- Re: Arguing against using public IP space Karl Auer (Nov 15)
- Re: Arguing against using public IP space Owen DeLong (Nov 16)
- Re: Arguing against using public IP space Jay Ashworth (Nov 16)
- Re: Arguing against using public IP space Ray Soucy (Nov 16)
- Re: Arguing against using public IP space Dave Hart (Nov 16)
- Re: Arguing against using public IP space Owen DeLong (Nov 16)
- Re: Arguing against using public IP space William Herrin (Nov 15)