[141543] in North American Network Operators' Group
Retraining "IT" on networking myths (the cloud to the rescue!)
daemon@ATHENA.MIT.EDU (Jared Mauch)
Wed Jun 8 21:33:23 2011
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <20110609012039.57692108BD88@drugs.dv.isc.org>
Date: Wed, 8 Jun 2011 21:32:20 -0400
To: Mark Andrews <marka@isc.org>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jun 8, 2011, at 9:20 PM, Mark Andrews wrote:
> It's *never* been a good idea let alone a best idea however it was
> the only solution to a problem in the last millinium and really
> should only be deploy to protect those 20 year old boxes that still
> have that problem.
>=20
> Way to much of security so called "best practice" isn't and actually
> has deterimental effects that outweigh any benifits.
I'm not sure the best way to fix this as there's all these common =
misconceptions about technology out there.
MYTHS:
TCP/53 is only for zone transfers
ICMP is a security risk/ddos avenue
Internal networks must be secured with NAT
A firewall is the only way to secure the perimiter
In fact for IPv6, ICMP is more important vs less. Firewalls frequently =
harm and don't block data going out. TCP/53 is needed for EDNS. IPv6 =
doesn't have the concept of NAT, or at least not in the same way as =
people use 1918 space at home and in IT networks...
I'm not sure the best way to deal with this. There's a lot of netadmins =
(perhaps myself included) that operate in a universe where they treat =
these items as fact, real and even on an audit-checklist.
When it comes to enabling IPv6 on your NOC or corporate network, how =
will they respond? "Wait, they will have a globally routed IP address? =
How do I NAT that?"
It does alter the environment of enforcing a security policy. Then =
again with all this "cloud" stuff (should that read return to mainframe =
processing days?), it may not matter as much since what you're securing =
will be "in the cloud", a remote location that has a pre-existing =
security policy that meets whatever your standards are (FIPS, FISMA, the =
auditors, etc..)
- Jared=
