Re: [fw-wiz] IPv6 support in firewalls



Hi!

On Mon, Aug 27, 2007 at 01:24:54PM -0400, Dave Piscitello wrote:

First you should not rely on NAT as a security measure, anyway,
because it isn't.

I advocate using every measure possible to provide security. IP masquerading
helps thwart information gathering. I would never suggest using NAT as the
only security measure. By IP masquerading, I avoid having a RIR identify the
address blocks I use internally, as they would if I were to use public
space. Explain why you feel this is wrong?

I don't feel this is wrong, I think good security practice
should be to make it unnecessary by design. The security
of a cipher should not depend on the secrecy of the algorithm.

The security of a network should not depend on the secrecy of
the structure, because sooner or later secrets will be no longer.

A bit of social engineering, a fired insider, ... holds for
ciphers and for networks, IMHO. And I mean *should* as in
RFC language, not as in common English ;-)

Third, this is the _only_ way to get rid of the "net 10 considered
harmful" nightmare

It's only a nightmare for people who do not exercise discipline
in assigning addresses.

OK, so please hand me a list of the RFC 1918 networks of all
third parties that I will need to connect to in the next ten
years. Your crystal ball seems to be working a lot better than
mine ;-)) No insult intended, honestly, but I don't buy the
"discipline" argument. Different enterprises need to connect
as business dictates, possibly tomorrow. And double NATing
and proxying makes things worse, not better.

As I said, SAP is already using addresses from their RIPE assigned
allocation for their strictly internal VPN connections to customers.
That would be "Oracle" for you American guys ;-) Biggest German
software company ...

I could just as easily err with public addresses and assign the
same block of addresses to multiple sites.

Yes you can. But then it's your fault. And if the successor of
the successor for your former position gets it wrong, then either
you or the first successor did not document properly.

But the addresses of arbitraty peers are strictly outside of
my control ...

Uniqe addresses for every single device. You can still hide
them behind a proxy if you feel like it. That's the additional
benefit. You can decide which hosts to expose and which ones
to hide. With at least a /48 assigned to every end user, there's
plenty of maneuver room.

Compare that to an IPv4 /29 for your uplink and all of a sudden a
7th department wants a server with port 80 exposed to the
Internet.

IMHO theses are the combined reasons to start over and
kill NAT forever.

Won't happen in my lifetime, nor my childrens' lifetime.

Time will tell ;-) I won't bet more than, say, a cask of
beer on my position, but I strongly feel like it was
The Right Thing [tm] and NAT was a cheap hack that has
been far too successful.

Kind regards,
Patrick M. Hausen
Leiter Netzwerke und Sicherheit
--
punkt.de GmbH * Vorholzstr. 25 * 76137 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
info@xxxxxxxx http://www.punkt.de
Gf: Jürgen Egeling AG Mannheim 108285
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: EBS 2008, TMG and external firewall. Dont want double NAT
    ... but didn't find it (searched this server for business, ... security level tool that comes with feature pack 1 if you set the ... disable NAT. ... I forward from the firewall to the internal interface it works (external ...
    (microsoft.public.windows.server.sbs)
  • Re: EBS 2008, TMG and external firewall. Dont want double NAT
    ... This is done because Exchange is bound to the internal interface and leaves the external interface to be *completely* controlled by TMG...a good security guideline by the way. ... If you are disabling NAT then you'll need to change this from a publishing rule to an access rule, but it should still work fine. ... The first is an access rule allows traffic from the internal IP to the external interface and to the messaging server ... One of the default rules is an "internet access for all users" that allows http and https by default. ...
    (microsoft.public.windows.server.sbs)
  • Re: EBS 2008, TMG and external firewall. Dont want double NAT
    ... but didn't find it (searched this server for business, ... security level tool that comes with feature pack 1 if you set the ... disable NAT. ... I forward from the firewall to the internal interface it works (external ...
    (microsoft.public.windows.server.sbs)
  • EBS 2008, TMG and external firewall. Dont want double NAT
    ... the internal interface of the security server. ... accessible through the external IP (whilst NAT is still turned on as is ... I forward from the firewall to the internal interface it works (external ... apparently this does use the publishing rule for acceptance of the ...
    (microsoft.public.windows.server.sbs)
  • Re: [opensuse] IPv6 & NAT [Was: 11.3 and ssh X forwarding not working]
    ... NAT is *NOT* a security solution. ... 6to4 mode) seem to offer similar hiding of the local computers. ...
    (SuSE)