Firewall Wizards mailing list archives
Re: ***SPAM*** Re: IPv6 support in firewalls
From: "Paul D. Robertson" <paul () compuwar net>
Date: Mon, 27 Aug 2007 16:13:00 -0400 (EDT)
On Mon, 27 Aug 2007, Dave Piscitello wrote:
using NAT as the only security measure. By IP masquerading, I avoid having a RIR identify the address blocks I use internally, as they would if I were to use public space. Explain why you feel this is wrong?
Can you explain to me a common attack scenario[1] where you wouldn't need access to a network node that already *had* the addressing infomration where an attacker could take advantage of knowing the internal addressing scheme where there's a firewall doing its job in regards to inbound connections? I've had a multi-billion dollar corporation's internal network use two /16's of routable address space for several years without falling foul to any attack[2] that would have been stopped by the address space not being routable. It's not like you're going to 'reset' the address space every time someone leaves anyway. Paul [1] Where 'common' has the value of 'you'd see this in the real world.' [2] Both successful non-malcode attacks were idiot admin/developer on a DMZ attacks and were in-band negating any NAT "value." ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." http://www.fluiditgroup.com/blog/pdr/ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: IPv6 support in firewalls, (continued)
- Re: IPv6 support in firewalls ArkanoiD (Aug 28)
- Re: IPv6 support in firewalls Darren . Reed (Aug 28)
- Re: IPv6 support in firewalls ArkanoiD (Aug 29)
- Re: IPv6 support in firewalls Paul D. Robertson (Aug 29)
- Re: IPv6 support in firewalls ArkanoiD (Aug 29)
- Re: IPv6 support in firewalls ArkanoiD (Aug 27)
- Re: ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 27)
- Re: IPv6 support in firewalls Patrick M. Hausen (Aug 27)
- ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 27)
- Re: IPv6 support in firewalls Marcus J. Ranum (Aug 27)
- Re: ***SPAM*** Re: IPv6 support in firewalls Paul D. Robertson (Aug 27)
- Re: ***SPAM*** Re: IPv6 support in firewalls ArkanoiD (Aug 27)
- Re: ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 27)
- Re: ***SPAM*** Re: IPv6 support in firewalls Steven M. Bellovin (Aug 23)
- Re: ***SPAM*** Re: IPv6 support in firewalls Marcus J. Ranum (Aug 24)
- Re: IPv6 support in firewalls Paul Melson (Aug 23)