[146547] in North American Network Operators' Group
Re: Arguing against using public IP space
daemon@ATHENA.MIT.EDU (Jay Ashworth)
Tue Nov 15 15:55:56 2011
Date: Tue, 15 Nov 2011 15:55:42 -0500 (EST)
From: Jay Ashworth <jra@baylink.com>
To: NANOG <nanog@nanog.org>
In-Reply-To: <175192.1321366640@turing-police.cc.vt.edu>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
----- Original Message -----
> From: "Valdis Kletnieks" <Valdis.Kletnieks@vt.edu>
> And this is totally overlooking the fact that the vast majority of *actual*
> attacks these days are web-based drive-bys and similar things that most
> firewalls are configured to pass through. Think about it - if a NAT'ed
> firewall provides any real protection against real attacks, why are there still
> so many zombied systems out there? I mean, Windows Firewall has been shipping
> with inbound "default deny" since XP SP2 or so. How many years ago was that?
> And what *real* security over and above that host-based firewall are you
> getting from that appliance?
>
> Or as Dr Phil would say "FIrewalls - how is that working out for you?"
Do you have actual honest-to-ghod numbers, Valdis?
And aren't you making here the same assumption for which we chastise people
who run DNS resolvers that wildcard to advertising pages for NXDOMAIN:
That all the world's a workstation?
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra@baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
