nanog mailing list archives
Re: Requirements for IPv6 Firewalls
From: Matthew Kaufman <matthew () matthew at>
Date: Fri, 18 Apr 2014 16:03:53 -0700
Ignoring security, A is superior because I can change it to DNAT to the new server, or DNAT to the load balancer now that said server needs 10 replicas, etc. B requires re-numbering the server or *if* I am lucky enough that it is reached by DNS name and I can change that DNS promptly, assigning a new address and adding another firewall rule that didn't exist. Matthew Kaufman (Sent from my iPhone)
On Apr 18, 2014, at 3:19 PM, Eugeniu Patrascu <eugen () imacandi net> wrote:On Fri, Apr 18, 2014 at 6:02 PM, William Herrin <bill () herrin us> wrote: On Fri, Apr 18, 2014 at 3:31 AM, Eugeniu Patrascu <eugen () imacandi net> wrote:On Thu, Apr 17, 2014 at 11:45 PM, George Herbert <george.herbert () gmail com>wrote:You are missing the point. Granted, anyone who is IPv6 aware doing a green-field enterprisefirewalldesign today should probably choose another way than NAT.That's why you have gazzilions of IP addresses in IPv6, so you don'tneed toNAT anything (among other things). I don't understand why people cling to NAT stuff when you can just route.4. Defense in depth is a core principle of all security, network and physical. If you don't practice it, your security is weak. Equipment which is not externally addressable (due to address-overloaded NAT) has an additional obstruction an adversary must bypass versus an identical system where the equipment is externally addressable (1:1 NAT, static port translation and simple routing). This constrains the kinds of attacks an adversary may employ.Let's make it simple: Scenario (A) w/ IPv4 [Internet] -> Firewall Public IP :80/TCP -> DNAT to Internal IP Address :80/TCP Scenario (B) w/ IPv6 [Internet] -> FIrewall -> Host w/ Routable IP Address :80/TCP In scenario (A) I hide a server behind a firewall and to a simple destination NAT (most common setup found in all companies). In scenario (B) I have a firewall rule that only allows port 80 to a machine in my network. Explain to me how from a security standpoint Scenario (A) is better than scenario (B). Defense in depth, to my knowledge - and feel free to correct me, is to have defenses at every point in the network and at the host level to protect against different attack vectors that are possible at those points. For example a firewall that understands traffic at the protocol level, a hardened application server, a hardened application, secure coding practices and so on depending of the complexity of the network and the security requirements.Feel free to refute all four points. No doubt you have arguments you personally find compelling. Your arguments will fall on deaf ears. At best the arguments propose theory that runs contrary to decades of many folks' experience. More likely the arguments are simply wrong.Just because some people have decades of experience, it doesn't mean they are right or know what they are doing. Eugeniu
Current thread:
- Re: Requirements for IPv6 Firewalls, (continued)
- Re: Requirements for IPv6 Firewalls Gary Buhrmaster (Apr 19)
- Re: Requirements for IPv6 Firewalls TheIpv6guy . (Apr 18)
- Re: Requirements for IPv6 Firewalls Florian Weimer (Apr 19)
- Re: Requirements for IPv6 Firewalls Simon Perreault (Apr 22)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
- Re: Requirements for IPv6 Firewalls George Herbert (Apr 18)
- Re: Requirements for IPv6 Firewalls Lee Howard (Apr 18)
- Re: Requirements for IPv6 Firewalls Matt Palmer (Apr 18)
- Re: Requirements for IPv6 Firewalls Gary Buhrmaster (Apr 18)
- Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 18)
- Re: Requirements for IPv6 Firewalls Matthew Kaufman (Apr 18)
- Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 19)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
- Re: Requirements for IPv6 Firewalls Jimmy Hess (Apr 18)
- Re: Requirements for IPv6 Firewalls Lee Howard (Apr 18)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
- Re: Requirements for IPv6 Firewalls George Herbert (Apr 18)
- Re: Requirements for IPv6 Firewalls Lee Howard (Apr 21)
- Re: Requirements for IPv6 Firewalls George Herbert (Apr 21)