From: (no name) (no email)
Date: Thu Jan 03 2008 - 23:57:49 EST
On Thu, 03 Jan 2008 10:17:37 EST, William Herrin said:
> In my ever so humble opinion, IPv6 will not reach significant
> penetration at the customer level until NAT has been thoroughly
> implemented. Corporate information security officers will insist.
> Here's the thing: a stateful non-NAT firewall is automatically less
> secure than a stateful translating firewall. Why? Because a mistake
> configuring a NAT firewall breaks the network causing everything to
> stop working while a mistake with a firewall that does no translation
> causes data to flow unfiltered. Humans being humans, mistakes will be
> made. The first failure mode is highly preferable.
Which is why, if your site has an *actual* clue, the deployed hosts *also*
have their own iptables/ipfilters/whatever-windows-calls-it rulesets that
say what hosts are allowed to talk to them. So on the server, I can do:
ip6tables -A tcp-in -s ! 2001:468:c80/48 -p tcp --dport 22 -j DROP
Now, even if our firewall guys fumble-finger something, I won't get
SSH connections coming in from outside AS1312.
Of course, I can't talk about business pressures from customers that have
incompetent security officers that don't understand stuff like multiple
layers of defense...
|
|
|