Re: Arguing against using public IP space

[Valdis.Kletnieks () vt edu]

On Tue, 15 Nov 2011 09:56:38 EST, William Herrin said:

> A firewall's job is to prevent the success of ACTIVE attack vectors
> against your network. If your firewall successfully restricts
> attackers to passive attack vectors (drive-by downloads) and social
> engineering vectors then it has done everything reasonably expected of
> it. Those other parts of the overall network security picture are
> dealt with elsewhere in system security apparatus. So it's no mistake
> than in a discussion of firewalls those two attack vectors do not
> feature prominently.

You missed the point - in the greater scheme of things, the threat model has
moved on, so the entire "ZOMG We can't deploy IPv6 because there's no NAT for
security" is a total crock of bovine manure. There are *so many* lower-hanging
fruit these days that if you're trying to *actually* improve your site's
security, you'd just punt worrying about the NAT stuff and focus on doing a
better job defending against the threats that are actually succeeding in
breaking into systems.

In another year or two, lack of IPv6 deployment is going to start impacting
the "availability" part of the security triad.  I'd worry about *that* more than
"how many NATs can dance on the head of a pin".

Attachment: _bin
Description: