nanog mailing list archives
RE: misunderstanding scale
From: "Naslund, Steve" <SNaslund () medline com>
Date: Tue, 25 Mar 2014 02:47:31 +0000
Exactly right. In fact that is generous because the v6 host having a stateful firewall has a real protocol aware firewall (and often bundled IDS/IPS capability) not just a NAT to protect him. The NAT provides almost no security once a single host behind the NAT is compromised and makes an outbound connection. Bang, instant VPN connection to the internal network. A perimeter defense relying on NAT is a house of cards that only needs one nick for the whole thing to come down. Lots and lots of enterprises count on a hard perimeter and almost nothing behind it so once I am in behind your NAT, you are unlikely to notice it until something real bad happens. That is the state of most enterprise network security today. C'mon guys how many Botnets and DDoS attacks do we need to see coming from home computers that are almost all behind NATs to realize that NAT is not a security feature. For you service providers out there, how many of your residential customers behind your NAT do you think are compromised in some way. If you can find a large enterprise that has not one piece of malware running on a single workstation, I will be surprised. With so many BYODs and laptops going in and out of your NAT perimeter there is no way you can assert that nothing behind your NAT is compromised. At least with v6 we can have a better idea of where a rogue connection is coming from. Look at it this way. If I see an attack coming from behind your NAT, I'm gonna deny all traffic coming from your NAT block until you assure me you have it fixed because I have no way of knowing which host it is coming from. Now your whole network is unreachable. If you have a compromised GUA host I can block only him. Better for both of us, no? How about a single host spamming behind your NAT blocking your entire corporate public network from email services? Anyone ever see that one. Ipv6 GUAs allow us to use fly swatters instead of sledgehammers to deal with that. Maybe GUAs will convince (scare) more enterprise users to actually treat the internal network as an environment that needs to be secured as well. We can only hope. Steven Naslund
Bzzzt... But thanks for playing.
An IPv6 host with a GUA behind a stateful firewall with default deny is every bit as secure as an iPv4 host with an RFC-1918 address behind a NAT44 gateway.
Owen
Current thread:
- Re: misunderstanding scale, (continued)
- Re: misunderstanding scale William Herrin (Mar 24)
- RE: misunderstanding scale Eric Wieling (Mar 24)
- RE: misunderstanding scale Naslund, Steve (Mar 24)
- Re: misunderstanding scale Owen DeLong (Mar 24)
- Re: misunderstanding scale Timothy Morizot (Mar 24)
- Re: misunderstanding scale Mark Tinka (Mar 24)
- RE: misunderstanding scale Naslund, Steve (Mar 24)
- Message not available
- RE: misunderstanding scale Naslund, Steve (Mar 24)
- Re: misunderstanding scale hslabbert (Mar 24)
- Re: misunderstanding scale Owen DeLong (Mar 24)
- RE: misunderstanding scale Naslund, Steve (Mar 24)
- Re: misunderstanding scale Valdis . Kletnieks (Mar 24)
- RE: misunderstanding scale Alexander Lopez (Mar 24)
- Re: misunderstanding scale hslabbert (Mar 24)
- Re: why IPv6 isn't ready for prime time, SMTP edition John Levine (Mar 25)
- Re: why IPv6 isn't ready for prime time, SMTP edition Brielle Bruns (Mar 25)
- Re: why IPv6 isn't ready for prime time, SMTP edition Jim Popovitch (Mar 25)
- Re: why IPv6 isn't ready for prime time, SMTP edition John Levine (Mar 25)
- Re: why IPv6 isn't ready for prime time, SMTP edition Brielle Bruns (Mar 25)
- Re: why IPv6 isn't ready for prime time, SMTP edition Paul Ferguson (Mar 25)
- Re: why IPv6 isn't ready for prime time, SMTP edition Elizabeth Zwicky (Mar 25)