On Tue, Apr 29, 2014 at 7:54 PM, Jeff Kell <jeff-kell@utc.edu> wrote:
On 4/29/2014 2:06 PM, Owen DeLong wrote:
If everyone who had 30+ inaggregable IPv4 prefixes replaced them with 1 (or even 3) IPv6 prefixes…
As a bonus, we could get rid of NAT, too. ;-)
/me ducks (but you know I had to say it)
Yeah, just when we thought Slammer / Blaster / Nachi / Welchia / etc / etc had been eliminated by process of "can't get there from here"... we expose millions more endpoints...
/me ducks too (but you know *I* had to say it)
No ducking here. You forgot Nimda. Do you have an example from the last 10 years of this class ? Windows XP SP3 with a default host firewall on really did solve most of this, not NAT. Not stateful firewalls in networks. In fact, jogging my memory, i clearly remember Blaster taking out enterprise networks with network firewalls and stateful inspection... because people manually move their laptops between security zones. Right? They got infected on one LAN and then attached and spread the worm to other LANs. I also remember the folks saying we just spent $100k on a pair of super Netscreen firewalls, why is our network crashing? Right? And then the infection scanning from hacked hosts... of course, overloaded the firewall, and that crashed the entire campus... because the firewall was a single point of failure sitting on the internet boarder... and it has the 0-day flaw of too many sessions = crash. Most firewalls have this 0-day, it's a feature. This really happened to me in 2003, where a network based attack had a broad impact on hosts. But, never again after Win XP SP3. Now, i just have DDoS from purposefully publicly (poorly) run NTP and DNS servers. And, hacks from users clicking on links they know they should not click on. Oh, and anything made with Java or Adobe or IE. Those things are impossible to run securely, so secure systems don't run them. And, every now and then a server gets cracked, right through the stateful firewall... because there was a rule allowing ANY to TCP 80. CB