Re: [fw-wiz] ***SPAM*** Re: IPv6 support in firewalls



Hi, all,

On Thu, Aug 23, 2007 at 05:06:55PM -0400, Dave Piscitello wrote:

I'm sorry, but you are not using the term end-to-end in the correct context.

Understood and agreed, but ... ;-)

Almost any firewalled configuration uses IP masquerading and that's hugely
important. Do you really think it's better to assign public address space
behind firewalls? Do you really want everyone to know every IP address block
your organization uses internally by querying an RIR?

Yes, I think "official" registered address space for every single
node, PC, mobile phone, fridge, coffee machine, ... _is_ the
ultimate goal and one of the major reasons to deploy IPv6.

First you should not rely on NAT as a security measure, anyway,
because it isn't.

Second, one can just as well deploy a proxy with registered
address space on both sides. I'm doing it in my datacenter
to protect web and database servers. There's nothing gained
by putting the "visible" address on the proxy and the web server
on net 10. Besides added complexity and worse logging capabilities.
Modern proxy firewalls with transparency appear like a router to
the protected hosts, so why not use them that way and disable NAT?

Third, this is the _only_ way to get rid of the "net 10 considered
harmful" nightmare that pops up over and over again when two
enterprises want to connect their internal nets in some way.
For example SAP already hands /29 subnets of their own RIPE
assigned IPv4 address space to their customers to build DMZs for
remote support/VPN access, precisely for this reason.

These combined are reasons to implement IPv4 forever:-)

IMHO theses are the combined reasons to start over and
kill NAT forever.

Kind regards,
Patrick M. Hausen
--
punkt.de GmbH * Vorholzstr. 25 * 76137 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
info@xxxxxxxx http://www.punkt.de
Gf: Jürgen Egeling AG Mannheim 108285
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: [fw-wiz] Recommended Open Source Proxy Firewalls
    ... and was interested in investigating open source "proxy firewalls". ... strong proxy for HTTP, because the protocol is ubiqitous, reasonably ...
    (Firewall-Wizards)
  • Re: [fw-wiz] FW appliance comparison - Seeking input for the forum
    ... Just because you enforce HTTP over TCP/80 with a ... > proxy doesn't mean you're keeping all of the garbage out... ... The very same vendor has got an MS SQL proxy that actually understands ... Firewalls have never been about ports. ...
    (Firewall-Wizards)
  • Re: Linksys hardware firewall enough...?
    ... Most of us know that ROUTING is part of NAT and has ... > nothing to do with firewalls. ... firewall provides routing, NAT, and packet filtering. ... > them that the devices marketed as firewalls, that are only NAT Routers ...
    (comp.security.firewalls)
  • Re: [fw-wiz] Internet accessible screened subnet - use public orprivate IPs?
    ... >The whole reason NAT was implemented was because of a very finite number of publicly routable IP addresses. ... The first firewalls I built offered NAT (inherent in the design and then later via ... "Proxy transparency" in Gauntlet) because a lot of the early firewall customers ... re-address their network or NAT ...
    (Firewall-Wizards)
  • Re: Types of firewall...
    ... > I'm currently working on a firewalls project as part of my degree. ... Static packet filter ... > 2.1 Circuit level proxy ... Packet filtering bridges are firewalls, and even network firewalls, ...
    (comp.security.firewalls)