nanog mailing list archives
Re: Requirements for IPv6 Firewalls
From: William Herrin <bill () herrin us>
Date: Fri, 18 Apr 2014 19:06:53 -0400
On Fri, Apr 18, 2014 at 6:19 PM, Eugeniu Patrascu <eugen () imacandi net> wrote:
On Fri, Apr 18, 2014 at 6:02 PM, William Herrin <bill () herrin us> wrote:4. Defense in depth is a core principle of all security, network and physical. If you don't practice it, your security is weak. Equipment which is not externally addressable (due to address-overloaded NAT) has an additional obstruction an adversary must bypass versus an identical system where the equipment is externally addressable (1:1 NAT, static port translation and simple routing). This constrains the kinds of attacks an adversary may employ.Let's make it simple: Scenario (A) w/ IPv4 [Internet] -> Firewall Public IP :80/TCP -> DNAT to Internal IP Address :80/TCP Scenario (B) w/ IPv6 [Internet] -> FIrewall -> Host w/ Routable IP Address :80/TCP In scenario (A) I hide a server behind a firewall and to a simple destination NAT (most common setup found in all companies). In scenario (B) I have a firewall rule that only allows port 80 to a machine in my network. Explain to me how from a security standpoint Scenario (A) is better than scenario (B).
So your question is: how does one variant of being externally addressable (simple routing with a packet filter or perhaps a stateful firewall) differ from another variant of being externally addressable (static inbound port translation)? Hell man, I don't like seeing these in IPv4 let alone IPv6. But when I'm asking a guy to make a much bigger leap of faith, like implementing IPv6, I don't plan to distract him with the fact that he's taken NAT=good from the situation where it's probably true and applied it to a situation where its value is more dubious.
Defense in depth, to my knowledge - and feel free to correct me, is to have defenses at every point in the network and at the host level to protect against different attack vectors that are possible at those point.
And a heart attack is that you clutch your chest and fall over dead. You describe what defense in depth looks like, not what it is. Defense in depth is that you have a fence and a security guard and a spotlight. And a locked door, an alarm system and a safe too. But you don't just have the fence, the door and the safe, a single form of protection at each point. That would be a shallow defense. Regards, Bill Herrin -- William D. Herrin ................ herrin () dirtside com bill () herrin us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Current thread:
- Re: Requirements for IPv6 Firewalls, (continued)
- Re: Requirements for IPv6 Firewalls Florian Weimer (Apr 19)
- Re: Requirements for IPv6 Firewalls Simon Perreault (Apr 22)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
- Re: Requirements for IPv6 Firewalls George Herbert (Apr 18)
- Re: Requirements for IPv6 Firewalls Lee Howard (Apr 18)
- Re: Requirements for IPv6 Firewalls Matt Palmer (Apr 18)
- Re: Requirements for IPv6 Firewalls Gary Buhrmaster (Apr 18)
- Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 18)
- Re: Requirements for IPv6 Firewalls Matthew Kaufman (Apr 18)
- Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 19)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
- Re: Requirements for IPv6 Firewalls Jimmy Hess (Apr 18)
- Re: Requirements for IPv6 Firewalls Lee Howard (Apr 18)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
- Re: Requirements for IPv6 Firewalls George Herbert (Apr 18)
- Re: Requirements for IPv6 Firewalls Lee Howard (Apr 21)
- Re: Requirements for IPv6 Firewalls George Herbert (Apr 21)
- Re: Requirements for IPv6 Firewalls Brandon Ross (Apr 17)
- Re: Requirements for IPv6 Firewalls Matthew Kaufman (Apr 17)