[arin-ppml] IPv6 Non-connected networks

Owen DeLong owen at delong.com
Wed Mar 24 16:25:12 EDT 2010


On Mar 24, 2010, at 1:03 PM, William Herrin wrote:

> On Wed, Mar 24, 2010 at 12:41 PM, Michael K. Smith - Adhost
> <mksmith at adhost.com> wrote:
>> I'm not sure I understand how NAT fixes this any more than properly
>> applied firewall rules would.
> 
> Hi Michael,
> 
> Properly applied firewall rules secure a system regardless of the
> methodology. Dwelling on that misunderstands the nature of security.
> Strength of security lies in depth: people being people, mistakes will
> be made. In the config. In the code. Everywhere. What happens then?
> 
Agreed.

> A firewall is a door with a lock. Unlock the door, forget to re-lock
> it and you're done.
> 
Sort of.

> A NAT firewall is a door with a pneumatic closer, a prox card reader
> and a pin code. This latter is less vulnerable to attack: stealing or
> duplicating the prox card is as hard or harder than picking a lock and
> even once you have the card, you still need the matching pin code for
> entry.
> 
No.  A NAT firewall is a door with a lock and a deadbolt at best unless
rules must be expressed in terms of entry/exit zone in addition to source/destination
address.  In the case where rules must be expressed in both therms, then:

A firewall is a door with a lock and a deadbolt.
A NAT firewall of this type is a door with a lock, a deadbolt, and a prox-card reader
capable of unlocking both the lock and deadbolt (NAT).

> Either way you're screwed when an authorized entrant politely holds
> the door, but that remaining vulnerability doesn't diminish the
> difference in security between the two.
> 
Yep.
> 
> 
> And I will suggest that for any given firewall configuration, the
> otherwise-identical configuration that also does NAT has implemented
> stronger security.
> 
Nope... I provided an example earlier where NAT actually reduced security.

Owen

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20100324/27c5d59c/attachment-0001.html>


More information about the ARIN-PPML mailing list