On Fri, Apr 18, 2014 at 6:19 PM, Eugeniu Patrascu <eugen@imacandi.net> wrote:
On Fri, Apr 18, 2014 at 6:02 PM, William Herrin <bill@herrin.us> wrote:
4. Defense in depth is a core principle of all security, network and physical. If you don't practice it, your security is weak. Equipment which is not externally addressable (due to address-overloaded NAT) has an additional obstruction an adversary must bypass versus an identical system where the equipment is externally addressable (1:1 NAT, static port translation and simple routing). This constrains the kinds of attacks an adversary may employ.
Let's make it simple:
Scenario (A) w/ IPv4 [Internet] -> Firewall Public IP :80/TCP -> DNAT to Internal IP Address :80/TCP
Scenario (B) w/ IPv6 [Internet] -> FIrewall -> Host w/ Routable IP Address :80/TCP
In scenario (A) I hide a server behind a firewall and to a simple destination NAT (most common setup found in all companies). In scenario (B) I have a firewall rule that only allows port 80 to a machine in my network.
Explain to me how from a security standpoint Scenario (A) is better than scenario (B).
So your question is: how does one variant of being externally addressable (simple routing with a packet filter or perhaps a stateful firewall) differ from another variant of being externally addressable (static inbound port translation)? Hell man, I don't like seeing these in IPv4 let alone IPv6. But when I'm asking a guy to make a much bigger leap of faith, like implementing IPv6, I don't plan to distract him with the fact that he's taken NAT=good from the situation where it's probably true and applied it to a situation where its value is more dubious.
Defense in depth, to my knowledge - and feel free to correct me, is to have defenses at every point in the network and at the host level to protect against different attack vectors that are possible at those point.
And a heart attack is that you clutch your chest and fall over dead. You describe what defense in depth looks like, not what it is. Defense in depth is that you have a fence and a security guard and a spotlight. And a locked door, an alarm system and a safe too. But you don't just have the fence, the door and the safe, a single form of protection at each point. That would be a shallow defense. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004