nanog mailing list archives
Re: misunderstanding scale
From: Timothy Morizot <tmorizot () gmail com>
Date: Mon, 24 Mar 2014 13:46:06 -0500
On Mon, Mar 24, 2014 at 8:25 AM, Joe Greco <jgreco () ns sol net> wrote:
Bill Herrin wrote: I say this with the utmost respect, but you must understand theprinciple of defense in depth in order to make competent security decisions for your organization. Smart people disagree on the details but the principle is not only iron clad, it applies to all forms of security, not just IP network security.The problem here is that what's actually going on is that you're now enshrining as a "security" device a hacky, ill-conceived workaround for a lack of flexibility/space/etc in IPv4. NAT was not designed to act as a security feature. If you want more layers of security, put a second firewall into your design. Don't perpetuate horrid IPv4 hacks that were necessary for specific reasons into IPv6 where those hacks are no longer needed.
With 24 million small businesses in the US alone, that's way too many
apples.
Precisely. Repeat after me. NAT is not a security feature. Period. It offers no meaningful protection. We've known how to bypass NATs almost from the moment they were developed. Defense in depth has nothing to do with NAT. In our enterprise deployment, it involves two layers of heterogeneous firewalls (protecting multiple security zones from the internal network and the Internet), IPS/IDS, web filters, mail filters, and an active CSIRC monitoring, analyzing, and responding to threats and attacks. If you're an enterprise and don't have something similar in place, then you have no security defense in depth. Thanks goodness our Cybersecurity organization actually comprehends real computer and network security instead of promoting snake oil. Scott
Current thread:
- Re: misunderstanding scale, (continued)
- Re: misunderstanding scale Mark Tinka (Mar 24)
- Re: misunderstanding scale William Herrin (Mar 24)
- Re: misunderstanding scale Michael Thomas (Mar 24)
- Re: misunderstanding scale William Herrin (Mar 24)
- Re: misunderstanding scale Joe Greco (Mar 24)
- Re: misunderstanding scale William Herrin (Mar 24)
- Re: misunderstanding scale Lee Howard (Mar 24)
- Re: misunderstanding scale William Herrin (Mar 24)
- Re: misunderstanding scale Lee Howard (Mar 25)
- Re: misunderstanding scale Timothy Morizot (Mar 24)
- Re: misunderstanding scale Timothy Morizot (Mar 24)
- Re: misunderstanding scale Joe Greco (Mar 24)
- Re: misunderstanding scale Michael Thomas (Mar 24)
- Re: misunderstanding scale Joe Greco (Mar 24)
- Re: misunderstanding scale William Herrin (Mar 24)
- Re: misunderstanding scale Joe Greco (Mar 24)
- Re: misunderstanding scale Valdis . Kletnieks (Mar 24)
- Re: misunderstanding scale Michael Thomas (Mar 24)
- Re: misunderstanding scale William Herrin (Mar 24)
- RE: misunderstanding scale Eric Wieling (Mar 24)
- RE: misunderstanding scale Naslund, Steve (Mar 24)