Tim Franklin wrote:
On Thu, January 3, 2008 3:17 pm, William Herrin wrote:
In my ever so humble opinion, IPv6 will not reach significant penetration at the customer level until NAT has been thoroughly implemented. Corporate information security officers will insist. Here's the thing: a stateful non-NAT firewall is automatically less secure than a stateful translating firewall. Why? Because a mistake configuring a NAT firewall breaks the network causing everything to stop working while a mistake with a firewall that does no translation causes data to flow unfiltered. Humans being humans, mistakes will be made. The first failure mode is highly preferable.
Only assuming the nature of your mistake is 'turn it off'.
I can fat-finger a 'port-forward *all* ports to important internal server', rather than just '80/TCP' pretty much exactly as easily as I can fat-finger 'permit *all* external to important internal server' rather than just '80/TCP'.
Which failure mode is more acceptable is going to depend on the business in question too. If 'seconds connected to the Internet' is a direct driver of 'dollars made', spending a length of time exposed (risk of loss) while fixing a config error may well be preferable to spending a length of time disconnected (actual loss).
I'll grant the 'everything is disconnected' case is easier to spot, though - especially if you don't have proper change management to test that the change you made is the change you think you made.
Plus an ultimate 'oops, I unapplied the access-list on my internet facing interface' on a firewall should result in all traffic being blocked, at least on decent firewall... I think that's what was being talked about, no? I'm only speaking from experience on Cisco firewalls where a lower security interface cannot pass traffic to a higher level interface without explicit commands. Of course, allowing all traffic through 'by mistake' can just as easily be done with 1-to-1 static NAT configs and allowing all traffic in the access-list/firewall rule set when you are using NAT. Ultimately, someone who understands the equipment should be administering it, but we're all human and mistakes happen I suppose. I personally would not rely on NAT as an exclusive security mechanism in lieu of an actual firewall, but it works decently for most home users. IPv6 enabled SOHO devices will just need to block all ports by default. End users can open ports they need on their SOHO devices just li ke they map them today with NAT... or maybe uPnP will extend to IPv6 (or has it?) to configure firewall rules dynamically for people on their gateway? -- Vinny Abello Network Engineer vinny@tellurian.com (973)940-6100 (NOC) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN "There is no objective reality. Only that which is measured exists. We construct reality, and only in the moment of measurement or observation." -- Niels Bohr