nanog mailing list archives
Re: Arguing against using public IP space
From: Valdis.Kletnieks () vt edu
Date: Tue, 15 Nov 2011 12:31:26 -0500
On Tue, 15 Nov 2011 09:56:38 EST, William Herrin said:
A firewall's job is to prevent the success of ACTIVE attack vectors against your network. If your firewall successfully restricts attackers to passive attack vectors (drive-by downloads) and social engineering vectors then it has done everything reasonably expected of it. Those other parts of the overall network security picture are dealt with elsewhere in system security apparatus. So it's no mistake than in a discussion of firewalls those two attack vectors do not feature prominently.
You missed the point - in the greater scheme of things, the threat model has moved on, so the entire "ZOMG We can't deploy IPv6 because there's no NAT for security" is a total crock of bovine manure. There are *so many* lower-hanging fruit these days that if you're trying to *actually* improve your site's security, you'd just punt worrying about the NAT stuff and focus on doing a better job defending against the threats that are actually succeeding in breaking into systems. In another year or two, lack of IPv6 deployment is going to start impacting the "availability" part of the security triad. I'd worry about *that* more than "how many NATs can dance on the head of a pin".
Attachment:
_bin
Description:
Current thread:
- Re: Arguing against using public IP space, (continued)
- Re: Arguing against using public IP space Owen DeLong (Nov 15)
- Re: Arguing against using public IP space Leigh Porter (Nov 15)
- Re: Arguing against using public IP space Valdis . Kletnieks (Nov 15)
- RE: Arguing against using public IP space Chuck Church (Nov 15)
- Re: Arguing against using public IP space Leigh Porter (Nov 15)
- Re: Arguing against using public IP space Valdis . Kletnieks (Nov 15)
- Re: Arguing against using public IP space William Herrin (Nov 15)
- Re: Arguing against using public IP space -Hammer- (Nov 15)
- Re: Arguing against using public IP space Cameron Byrne (Nov 15)
- Re: Arguing against using public IP space -Hammer- (Nov 15)
- Re: Arguing against using public IP space Valdis . Kletnieks (Nov 15)
- Re: Arguing against using public IP space Jay Ashworth (Nov 15)
- Re: Arguing against using public IP space Owen DeLong (Nov 15)
- Re: Arguing against using public IP space Joe Greco (Nov 15)
- Re: Arguing against using public IP space Owen DeLong (Nov 15)
- Re: Arguing against using public IP space Joe Greco (Nov 15)
- Re: Arguing against using public IP space david raistrick (Nov 15)
- Re: Arguing against using public IP space Joe Greco (Nov 15)
- Re: Arguing against using public IP space Jay Ashworth (Nov 15)
- Re: Arguing against using public IP space Joe Greco (Nov 15)
- Re: Arguing against using public IP space Leigh Porter (Nov 15)