[171133] in North American Network Operators' Group
Re: Requirements for IPv6 Firewalls
daemon@ATHENA.MIT.EDU (Matthew Kaufman)
Fri Apr 18 19:05:10 2014
In-Reply-To: <CALgc3C53xp_XaL07xcQeBJPDbrAx0vb2dfrwvZe3OqVJMm0anQ@mail.gmail.com>
From: Matthew Kaufman <matthew@matthew.at>
Date: Fri, 18 Apr 2014 16:03:53 -0700
To: Eugeniu Patrascu <eugen@imacandi.net>
Cc: "draft-gont-opsec-ipv6-firewall-reqs@tools.ietf.org"
<draft-gont-opsec-ipv6-firewall-reqs@tools.ietf.org>, NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Ignoring security, A is superior because I can change it to DNAT to the new s=
erver, or DNAT to the load balancer now that said server needs 10 replicas, e=
tc.=20
B requires re-numbering the server or *if* I am lucky enough that it is reac=
hed by DNS name and I can change that DNS promptly, assigning a new address a=
nd adding another firewall rule that didn't exist.
Matthew Kaufman
(Sent from my iPhone)
> On Apr 18, 2014, at 3:19 PM, Eugeniu Patrascu <eugen@imacandi.net> wrote:
>=20
>> On Fri, Apr 18, 2014 at 6:02 PM, William Herrin <bill@herrin.us> wrote:
>>=20
>> On Fri, Apr 18, 2014 at 3:31 AM, Eugeniu Patrascu <eugen@imacandi.net>
>> wrote:
>>> On Thu, Apr 17, 2014 at 11:45 PM, George Herbert <
>> george.herbert@gmail.com>
>>> wrote:
>>>> You are missing the point.
>>>>=20
>>>> Granted, anyone who is IPv6 aware doing a green-field enterprise
>> firewall
>>>> design today should probably choose another way than NAT.
>>>=20
>>> That's why you have gazzilions of IP addresses in IPv6, so you don't
>> need to
>>> NAT anything (among other things). I don't understand why people cling t=
o
>>> NAT stuff when you can just route.
>>=20
>> 4. Defense in depth is a core principle of all security, network and
>> physical. If you don't practice it, your security is weak. Equipment
>> which is not externally addressable (due to address-overloaded NAT)
>> has an additional obstruction an adversary must bypass versus an
>> identical system where the equipment is externally addressable (1:1
>> NAT, static port translation and simple routing). This constrains the
>> kinds of attacks an adversary may employ.
> Let's make it simple:
>=20
> Scenario (A) w/ IPv4
> [Internet] -> Firewall Public IP :80/TCP -> DNAT to Internal IP Address
> :80/TCP
>=20
> Scenario (B) w/ IPv6
> [Internet] -> FIrewall -> Host w/ Routable IP Address :80/TCP
>=20
>=20
> In scenario (A) I hide a server behind a firewall and to a simple
> destination NAT (most common setup found in all companies).
> In scenario (B) I have a firewall rule that only allows port 80 to a
> machine in my network.
>=20
>=20
> Explain to me how from a security standpoint Scenario (A) is better than
> scenario (B).
>=20
>=20
> Defense in depth, to my knowledge - and feel free to correct me, is to hav=
e
> defenses at every point in the network and at the host level to protect
> against different attack vectors that are possible at those points. For
> example a firewall that understands traffic at the protocol level, a
> hardened application server, a hardened application, secure coding
> practices and so on depending of the complexity of the network and the
> security requirements.
>=20
>=20
>> Feel free to refute all four points. No doubt you have arguments you
>> personally find compelling. Your arguments will fall on deaf ears. At
>> best the arguments propose theory that runs contrary to decades of
>> many folks' experience. More likely the arguments are simply wrong.
> Just because some people have decades of experience, it doesn't mean they
> are right or know what they are doing.
>=20
>=20
> Eugeniu
