nanog mailing list archives
Re: Requirements for IPv6 Firewalls
From: Eugeniu Patrascu <eugen () imacandi net>
Date: Thu, 17 Apr 2014 21:32:02 +0300
On Thu, Apr 17, 2014 at 9:05 PM, William Herrin <bill () herrin us> wrote:
Here's the drill: From an enterprise security perspective, deploying IPv6 is high risk. I have to re-implement every rule I set on my IPv4 addresses all over again with my IPv6 addresses and hope I don't screw it up in a way that lets an adversary wander right in. That risk is compounded exponentially if the _initial_ deployment can't follow an identical security posture to the IPv4 system. Without availability of the kind of NAT present in the IPv4 deployment, I have a problem whose solution is: sorry network team, return when the technology is mature.
It's a bigger risk to think that NAT somehow magically protects you against stuff on the Internet. Also, if your problem is that someone can screw up firewalls rules, then you have bigger issue in your organization than IPv6. There's a fair argument to be made which says that kind of NAT is
unhealthy. If its proponents are correct, they'll win that argument later on with NAT-incompatible technology that enterprises want. After all, enterprise security folk didn't want the Internet in the corporate network at all, but having a web browser on every desk is just too darn useful. Where they won't win that argument is in the stretch of maximum risk for the enterprise security folk.
Any technology has associated risks, it's a matter of how you reduce/mitigate them. This paranoia thingie about IPv6 is getting a bit old. Just because you don't (seem to) understand how it works, it doesn't mean no one else should use it. Eugeniu
Current thread:
- RE: Requirements for IPv6 Firewalls, (continued)
- RE: Requirements for IPv6 Firewalls Dustin Jurman (Apr 17)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 17)
- Re: Requirements for IPv6 Firewalls David Newman (Apr 17)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 17)
- Re: Requirements for IPv6 Firewalls Fernando Gont (Apr 17)
- RE: Requirements for IPv6 Firewalls Dustin Jurman (Apr 17)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 17)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 17)
- RE: Requirements for IPv6 Firewalls Dustin Jurman (Apr 17)
- Re: Requirements for IPv6 Firewalls Fernando Gont (Apr 17)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 17)
- Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 17)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 17)
- Re: Requirements for IPv6 Firewalls Valdis . Kletnieks (Apr 17)
- Re: Requirements for IPv6 Firewalls Timothy Morizot (Apr 17)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 17)
- Re: Requirements for IPv6 Firewalls Seth Mos (Apr 17)