[111540] in North American Network Operators' Group
Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space
daemon@ATHENA.MIT.EDU (Owen DeLong)
Fri Feb 6 22:42:31 2009
From: Owen DeLong <owen@delong.com>
To: Matthew Moyle-Croft <mmc@internode.com.au>
In-Reply-To: <498CFACA.1030101@internode.com.au>
Date: Fri, 6 Feb 2009 19:32:10 -0800
Cc: Roger Marquis <marquis@roble.com>,
north American Noise and Off-topic Gripes <nanog@merit.edu>
Errors-To: nanog-bounces@nanog.org
On Feb 6, 2009, at 7:06 PM, Matthew Moyle-Croft wrote:
>
>
> Stephen Sprunk wrote:
>>
>> You must be very sheltered. Most end users, even "security" folks
>> at major corporations, think a NAT box is a firewall and disabling
>> NAT is inherently less secure. Part of that is factual: NAT (er,
>> dynamic PAT) devices are inherently fail-closed because of their
>> design, while a firewall might fail open. Also, NAT prevents some
>> information leakage by hiding the internal details of the site's
>> network, and many folks place a high value on "security" through
>> obscurity. This is understandable, since the real threats --
>> uneducated users and flawed software -- are ones they have no power
>> to fix.
> It's also worth pointing out that CPE for DSL often has really poor
> stateful firewall code. So often turning it off means less issues
> for home users. At least NAT gives some semblance of protection.
> IPv6 without NAT might be awesome to some, but the reality is CPE is
> built to a price and decent firewall code is thin on the ground.
> I'm not hopeful of it getting better when IPv6 starts to become
> mainstream.
>
IPTables is decent firewall code.
It's free.
I don't buy that argument for a second.
Further, since more and more CPE is being built on embedded linux,
there's no reason
that IPTables isn't a perfectly valid approach to the underlying
firewall code.
Owen
> (In case it's not clear - I'm not talking about enterprise stuff -
> I'm talking about CPE for domestic DSL/Cable users - please don't
> tell me all about how cool NetScreen/PIX/ASA/<insert favourite fw>
> is for enterprise).
>
> MMC
>
> --
> Matthew Moyle-Croft - Internode/Agile - Networks
> Level 4, 150 Grenfell Street, Adelaide, SA 5000 Australia
> Email: mmc@internode.com.au Web: http://www.on.net
> Direct: +61-8-8228-2909 Mobile: +61-419-900-366
> Reception: +61-8-8228-2999 Fax: +61-8-8235-6909
>
