On Tue, Apr 27, 2010 at 4:25 PM, Jon Lewis <jlewis@lewis.org> wrote:
breaks. i.e. they'll know its broken. When they change the default policy on the firewall to Accept/Allow all, everything will still work...until all their machines are infected with enough stuff to break them.
The same is true with IPv4 + NAT, in terms of real-world net security. Because security attacks against end-user equipment commonly come from either an e-mail message the user is expected to errantly click on, or a malicious website, designed to exploit the latest $MsOffice_Acrobat_Javascript_OR_Flash_Vuln_DU_Jour. If user accidentally turns off their outbound filtering software, even the IPv4 user behind a NAT setup still have a pretty bad security posture. Fortunately, the IPv6 address space is so large and sparse, that scanning it would be quite a feat, even if a random outside attacker already knew for a fact that a certain /64 probably contains a vulnerable host. Scanning IPv6 addresses by brute force, is as computationally hard as figuring out the 16-bit port number pairs of an IPv4 NAT user's open connection, in order to fool their NAT device and partially hijack the user's HTTP connection and inject malicious code into their stream. By the way, if an attacker actually can figure out the port number pairs of a session recognized by the NAT device, the illusion of "security" offered by the NAT setup potentially starts to crumble.... either way it's 32-bits to be guessed within a fairly limited timeframe. -- -J