[146535] in North American Network Operators' Group
Re: Arguing against using public IP space
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Nov 15 12:34:22 2011
To: William Herrin <bill@herrin.us>
In-Reply-To: Your message of "Tue, 15 Nov 2011 09:56:38 EST."
<CAP-guGXMNhCyA4J1jd6gNryuPD0whmKVkqBesjhNgk5M1FcjXw@mail.gmail.com>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 15 Nov 2011 12:31:26 -0500
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1321378286_2702P
Content-Type: text/plain; charset=us-ascii
On Tue, 15 Nov 2011 09:56:38 EST, William Herrin said:
> A firewall's job is to prevent the success of ACTIVE attack vectors
> against your network. If your firewall successfully restricts
> attackers to passive attack vectors (drive-by downloads) and social
> engineering vectors then it has done everything reasonably expected of
> it. Those other parts of the overall network security picture are
> dealt with elsewhere in system security apparatus. So it's no mistake
> than in a discussion of firewalls those two attack vectors do not
> feature prominently.
You missed the point - in the greater scheme of things, the threat model has
moved on, so the entire "ZOMG We can't deploy IPv6 because there's no NAT for
security" is a total crock of bovine manure. There are *so many* lower-hanging
fruit these days that if you're trying to *actually* improve your site's
security, you'd just punt worrying about the NAT stuff and focus on doing a
better job defending against the threats that are actually succeeding in
breaking into systems.
In another year or two, lack of IPv6 deployment is going to start impacting
the "availability" part of the security triad. I'd worry about *that* more than
"how many NATs can dance on the head of a pin".
--==_Exmh_1321378286_2702P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFOwqHucC3lWbTT17ARAmmpAJ9reniPjwooiSaSVojQbm6ZEmmlgQCff4eZ
Gj3lldMfevFv3+Y5YfM1nyI=
=9DuP
-----END PGP SIGNATURE-----
--==_Exmh_1321378286_2702P--
