[170131] in North American Network Operators' Group
Re: misunderstanding scale
daemon@ATHENA.MIT.EDU (Joe Greco)
Mon Mar 24 13:45:35 2014
From: Joe Greco <jgreco@ns.sol.net>
To: bill@herrin.us (William Herrin)
Date: Mon, 24 Mar 2014 08:25:42 -0500 (CDT)
In-Reply-To: <CAP-guGVfNySCSuw-59kuGWe=eJxKTqo5bySttDaftQa7vA6V0g@mail.gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> Hi Mike,
>
> You can either press the big red button and fire the nukes or you
> can't, so what difference how many layers of security are involved
> with the "Football?"
>
> I say this with the utmost respect, but you must understand the
> principle of defense in depth in order to make competent security
> decisions for your organization. Smart people disagree on the details
> but the principle is not only iron clad, it applies to all forms of
> security, not just IP network security.
The problem here is that what's actually going on is that you're now
enshrining as a "security" device a hacky, ill-conceived workaround
for a lack of flexibility/space/etc in IPv4. NAT was not designed
to act as a security feature.
If you want more layers of security, put a second firewall into your
design. Don't perpetuate horrid IPv4 hacks that were necessary for
specific reasons into IPv6 where those hacks are no longer needed.
... JG
--
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
