From: Tim Franklin (no email)
Date: Thu Jan 03 2008 - 11:25:31 EST
On Thu, January 3, 2008 3:17 pm, William Herrin wrote:
> In my ever so humble opinion, IPv6 will not reach significant
> penetration at the customer level until NAT has been thoroughly
> implemented. Corporate information security officers will insist.
> Here's the thing: a stateful non-NAT firewall is automatically less
> secure than a stateful translating firewall. Why? Because a mistake
> configuring a NAT firewall breaks the network causing everything to
> stop working while a mistake with a firewall that does no translation
> causes data to flow unfiltered. Humans being humans, mistakes will be
> made. The first failure mode is highly preferable.
Only assuming the nature of your mistake is 'turn it off'.
I can fat-finger a 'port-forward *all* ports to important internal
server', rather than just '80/TCP' pretty much exactly as easily as I can
fat-finger 'permit *all* external to important internal server' rather
than just '80/TCP'.
Which failure mode is more acceptable is going to depend on the business
in question too. If 'seconds connected to the Internet' is a direct
driver of 'dollars made', spending a length of time exposed (risk of loss)
while fixing a config error may well be preferable to spending a length of
time disconnected (actual loss).
I'll grant the 'everything is disconnected' case is easier to spot, though
- especially if you don't have proper change management to test that the
change you made is the change you think you made.
Regards,
Tim.
|
|
|