nanog mailing list archives

Re: Requirements for IPv6 Firewalls

From: Eugeniu Patrascu <eugen () imacandi net>
Date: Sat, 19 Apr 2014 01:19:26 +0300

On Fri, Apr 18, 2014 at 6:02 PM, William Herrin <bill () herrin us> wrote:

On Fri, Apr 18, 2014 at 3:31 AM, Eugeniu Patrascu <eugen () imacandi net>
wrote:

On Thu, Apr 17, 2014 at 11:45 PM, George Herbert <

george.herbert () gmail com>

wrote:

You are missing the point.

Granted, anyone who is IPv6 aware doing a green-field enterprise

firewall

design today should probably choose another way than NAT.


That's why you have gazzilions of IP addresses in IPv6, so you don't

need to

NAT anything (among other things). I don't understand why people cling to
NAT stuff when you can just route.


4. Defense in depth is a core principle of all security, network and
physical. If you don't practice it, your security is weak. Equipment
which is not externally addressable (due to address-overloaded NAT)
has an additional obstruction an adversary must bypass versus an
identical system where the equipment is externally addressable (1:1
NAT, static port translation and simple routing). This constrains the
kinds of attacks an adversary may employ.

Let's make it simple:

Scenario (A) w/ IPv4
[Internet] -> Firewall Public IP :80/TCP -> DNAT to Internal IP Address
:80/TCP

Scenario (B) w/ IPv6
[Internet] -> FIrewall -> Host w/ Routable IP Address :80/TCP


In scenario (A) I hide a server behind a firewall and to a simple
destination NAT (most common setup found in all companies).
In scenario (B) I have a firewall rule that only allows port 80 to a
machine in my network.


Explain to me how from a security standpoint Scenario (A) is better than
scenario (B).


Defense in depth, to my knowledge - and feel free to correct me, is to have
defenses at every point in the network and at the host level to protect
against different attack vectors that are possible at those points. For
example a firewall that understands traffic at the protocol level, a
hardened application server, a hardened application, secure coding
practices and so on depending of the complexity of the network and the
security requirements.

Feel free to refute all four points. No doubt you have arguments you
personally find compelling. Your arguments will fall on deaf ears. At
best the arguments propose theory that runs contrary to decades of
many folks' experience. More likely the arguments are simply wrong.

Just because some people have decades of experience, it doesn't mean they
are right or know what they are doing.


Eugeniu

Current thread:

Re: Requirements for IPv6 Firewalls, (continued)
- - - Re: Requirements for IPv6 Firewalls joel jaeggli (Apr 19)
    - Re: Requirements for IPv6 Firewalls Gary Buhrmaster (Apr 19)
    - Re: Requirements for IPv6 Firewalls TheIpv6guy . (Apr 18)
    - Re: Requirements for IPv6 Firewalls Florian Weimer (Apr 19)
    - Re: Requirements for IPv6 Firewalls Simon Perreault (Apr 22)
    - Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
    - Re: Requirements for IPv6 Firewalls George Herbert (Apr 18)
    - Re: Requirements for IPv6 Firewalls Lee Howard (Apr 18)
    - Re: Requirements for IPv6 Firewalls Matt Palmer (Apr 18)
    - Re: Requirements for IPv6 Firewalls Gary Buhrmaster (Apr 18)
    - Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 18)
    - Re: Requirements for IPv6 Firewalls Matthew Kaufman (Apr 18)
    - Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 19)
    - Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
    - Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
    - Re: Requirements for IPv6 Firewalls Jimmy Hess (Apr 18)
    - Re: Requirements for IPv6 Firewalls Lee Howard (Apr 18)
    - Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
    - Re: Requirements for IPv6 Firewalls George Herbert (Apr 18)
    - Re: Requirements for IPv6 Firewalls Lee Howard (Apr 21)
    - Re: Requirements for IPv6 Firewalls George Herbert (Apr 21)

(Thread continues...)