nanog mailing list archives

Re: Arguing against using public IP space

From: Leigh Porter <leigh.porter () ukbroadband com>
Date: Tue, 15 Nov 2011 17:16:23 +0000

Quite right.. I bet all Iran's nuclear facilities have air gaps but they let people in with laptops and USB sticks.

-- 
Leigh


On 15 Nov 2011, at 14:48, "Chuck Church" <chuckchurch () gmail com> wrote:

-----Original Message-----
From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] 
Sent: Tuesday, November 15, 2011 9:17 AM
To: Leigh Porter
Cc: nanog () nanog org; McCall, Gabriel
Subject: Re: Arguing against using public IP space

And this is totally overlooking the fact that the vast majority of

*actual* attacks these days are web-based drive-bys > and similar things
that most firewalls are configured to pass through.  Think about it - if a
NAT'ed firewall provides > any real protection against real attacks, why are
there still so many zombied systems out there?  I mean, Windows         >
Firewall has been shipping with inbound "default deny" since XP SP2 or so.
How many years ago was that?

Simple explanation is that most firewall rules are written to trust traffic
initiated by 'inside' (your users), and the return traffic gets trusted as
well.  This applies to both Window's own FW, and most hardware based
firewalls.  And NAT/PAT devices too.  There's nothing more dangerous than a
user with a web browser.  Honestly, FWs will keep out attacks initiated from
outside.  But for traffic permitted or initiated by the inside, IPS is only
way to go.  

Chuck  



______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

Current thread:

Re: Arguing against using public IP space, (continued)
- - - Re: Arguing against using public IP space Doug Barton (Nov 13)
    - RE: Arguing against using public IP space Chuck Church (Nov 13)
    - Re: Arguing against using public IP space Phil Regnauld (Nov 13)
    - RE: Arguing against using public IP space Chuck Church (Nov 13)
    - RE: Arguing against using public IP space McCall, Gabriel (Nov 14)
    - Re: Arguing against using public IP space William Herrin (Nov 14)
    - Re: Arguing against using public IP space Owen DeLong (Nov 15)
    - Re: Arguing against using public IP space Leigh Porter (Nov 15)
    - Re: Arguing against using public IP space Valdis . Kletnieks (Nov 15)
    - RE: Arguing against using public IP space Chuck Church (Nov 15)
    - Re: Arguing against using public IP space Leigh Porter (Nov 15)
    - Re: Arguing against using public IP space Valdis . Kletnieks (Nov 15)
    - Re: Arguing against using public IP space William Herrin (Nov 15)
    - Re: Arguing against using public IP space -Hammer- (Nov 15)
    - Re: Arguing against using public IP space Cameron Byrne (Nov 15)
    - Re: Arguing against using public IP space -Hammer- (Nov 15)
    - Re: Arguing against using public IP space Valdis . Kletnieks (Nov 15)
    - Re: Arguing against using public IP space Jay Ashworth (Nov 15)
    - Re: Arguing against using public IP space Owen DeLong (Nov 15)
    - Re: Arguing against using public IP space Joe Greco (Nov 15)
    - Re: Arguing against using public IP space Owen DeLong (Nov 15)

(Thread continues...)