Quite right.. I bet all Iran's nuclear facilities have air gaps but they let people in with laptops and USB sticks. -- Leigh On 15 Nov 2011, at 14:48, "Chuck Church" <chuckchurch@gmail.com> wrote:
-----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Tuesday, November 15, 2011 9:17 AM To: Leigh Porter Cc: nanog@nanog.org; McCall, Gabriel Subject: Re: Arguing against using public IP space
And this is totally overlooking the fact that the vast majority of *actual* attacks these days are web-based drive-bys > and similar things that most firewalls are configured to pass through. Think about it - if a NAT'ed firewall provides > any real protection against real attacks, why are there still so many zombied systems out there? I mean, Windows > Firewall has been shipping with inbound "default deny" since XP SP2 or so. How many years ago was that?
Simple explanation is that most firewall rules are written to trust traffic initiated by 'inside' (your users), and the return traffic gets trusted as well. This applies to both Window's own FW, and most hardware based firewalls. And NAT/PAT devices too. There's nothing more dangerous than a user with a web browser. Honestly, FWs will keep out attacks initiated from outside. But for traffic permitted or initiated by the inside, IPS is only way to go.
Chuck
______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________