Re: IPv6 uptake (was: The Reg does 240/4)

[Daniel Marks via NANOG <nanog () nanog org>]

> a lot of folks
> making statements about network security on this list don't appear to
> grasp it.

If your network is secure, it isn’t even possible to “accidentally” open inbound ports in the first place. You either 
allow it to happen or you don’t via security policy, anything else means your “security” relies on humans not making a 
mistake, and that’s not security.

Using NAT as a “line of defense” means you implicitly don’t trust your authorization system, which means you don't 
actually have a security posture to begin with.

Using the same logic, you might as well go buy another firewall to put in front of your actual Firewall just in case 
you accidentally misconfigure it. Notice how you’re not actually securing anything, you’re putting a band aid on your 
insecure process.

-Dan

> On Feb 16, 2024, at 18:04, William Herrin <bill () herrin us> wrote:
>
> On Fri, Feb 16, 2024 at 2:19 PM Jay R. Ashworth <jra () baylink com> wrote:
> > > From: "Justin Streiner" <streinerj () gmail com>
> > > 4. Getting people to unlearn the "NAT=Security" mindset that we were forced
> > > to accept in the v4 world.
> >
> > NAT doesn't "equal" security.
> >
> > But it is certainly a *component* of security, placing control of what internal
> > nodes are accessible from the outside in the hands of the people inside.
>
> Hi Jay,
>
> Every firewall does that. What NAT does above and beyond is place
> control of what internal nodes are -addressable- from the outside in
> the hands of the people inside -- so that most of the common mistakes
> with firewall configuration don't cause the internal hosts to -become-
> accessible.
>
> The distinction doesn't seem that subtle to me, but a lot of folks
> making statements about network security on this list don't appear to
> grasp it.
>
> Regards,
> Bill Herrin
>
>
> --
> William Herrin
> bill () herrin us
> https://bill.herrin.us/