Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ***SPAM*** Re: IPv6 support in firewalls

From: "Paul D. Robertson" <paul () compuwar net>
Date: Mon, 27 Aug 2007 16:13:00 -0400 (EDT)
On Mon, 27 Aug 2007, Dave Piscitello wrote:


using NAT as the only security measure. By IP masquerading, I avoid 
having a RIR identify the address blocks I use internally, as they would 
if I were to use public space. Explain why you feel this is wrong?


Can you explain to me a common attack scenario[1] where you wouldn't need 
access to a network node that already *had* the addressing infomration 
where an attacker could take advantage of knowing the internal addressing 
scheme where there's a firewall doing its job in regards to inbound connections?

I've had a multi-billion dollar corporation's internal network use two 
/16's of routable address space for several years without falling foul to 
any attack[2] that would have been stopped by the address space not being 
routable.

It's not like you're going to 'reset' the address space every time someone 
leaves anyway.

Paul
[1] Where 'common' has the value of 'you'd see this in the real world.'
[2] Both successful non-malcode attacks were idiot admin/developer on a 
DMZ attacks and were in-band negating any NAT "value." 
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
             http://www.fluiditgroup.com/blog/pdr/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: