[146540] in North American Network Operators' Group
Re: Arguing against using public IP space
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Nov 15 13:39:33 2011
To: Leigh Porter <leigh.porter@ukbroadband.com>
In-Reply-To: Your message of "Tue, 15 Nov 2011 17:16:23 GMT."
<56433BFF-2BDF-4C12-928F-B0C576047F24@ukbroadband.com>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 15 Nov 2011 13:38:52 -0500
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1321382332_2702P
Content-Type: text/plain; charset=us-ascii
On Tue, 15 Nov 2011 17:16:23 GMT, Leigh Porter said:
> Quite right.. I bet all Iran's nuclear facilities have air gaps but they let
> people in with laptops and USB sticks.
And that's the point - *most* networks have so many bigger issues that the
whole "NAT makes us secure" mantra is dangerous self-delusion.
If you have machines in the NAT area where you're actually concerned that "ZOMG
the firewall might fail and expose them", why aren't they airgapped? As the
Iranians discovered, if the attacker gets a foothold inside the NAT you're
screwed anyhow, and *that* is probably a lot more likely scenario than a
fail-open firewall..
--==_Exmh_1321382332_2702P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFOwrG8cC3lWbTT17ARAh+1AKCkVz47lLof6XNvwxajECILydpYTgCguDPa
91Nx5IA2vRRYnKRoChK7l8A=
=FEVN
-----END PGP SIGNATURE-----
--==_Exmh_1321382332_2702P--
