[arin-ppml] IPv6 Non-connected networks
Owen DeLong
owen at delong.com
Wed Mar 24 16:25:12 EDT 2010
On Mar 24, 2010, at 1:03 PM, William Herrin wrote:
> On Wed, Mar 24, 2010 at 12:41 PM, Michael K. Smith - Adhost
> <mksmith at adhost.com> wrote:
>> I'm not sure I understand how NAT fixes this any more than properly
>> applied firewall rules would.
>
> Hi Michael,
>
> Properly applied firewall rules secure a system regardless of the
> methodology. Dwelling on that misunderstands the nature of security.
> Strength of security lies in depth: people being people, mistakes will
> be made. In the config. In the code. Everywhere. What happens then?
>
Agreed.
> A firewall is a door with a lock. Unlock the door, forget to re-lock
> it and you're done.
>
Sort of.
> A NAT firewall is a door with a pneumatic closer, a prox card reader
> and a pin code. This latter is less vulnerable to attack: stealing or
> duplicating the prox card is as hard or harder than picking a lock and
> even once you have the card, you still need the matching pin code for
> entry.
>
No. A NAT firewall is a door with a lock and a deadbolt at best unless
rules must be expressed in terms of entry/exit zone in addition to source/destination
address. In the case where rules must be expressed in both therms, then:
A firewall is a door with a lock and a deadbolt.
A NAT firewall of this type is a door with a lock, a deadbolt, and a prox-card reader
capable of unlocking both the lock and deadbolt (NAT).
> Either way you're screwed when an authorized entrant politely holds
> the door, but that remaining vulnerability doesn't diminish the
> difference in security between the two.
>
Yep.
>
>
> And I will suggest that for any given firewall configuration, the
> otherwise-identical configuration that also does NAT has implemented
> stronger security.
>
Nope... I provided an example earlier where NAT actually reduced security.
Owen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20100324/27c5d59c/attachment.htm>
More information about the ARIN-PPML
mailing list