We went pretty deep into the weeds on NAT in this thread - far deeper than I expected ;) Getting back to the recently revised topic of this thread - IPv6 uptake - what have peoples' experiences been related to crafting sane v6 firewall rulesets in recent products from the major firewall players (Palo Alto, Cisco, Fortinet, etc)? On the last major v6 deployment I did, working with the firewalls was definitely one of the major pain points because the support / stability was really lacking, or there wasn't full feature parity between their v4 and v6 capabilities. Thank you jms On Fri, Feb 16, 2024 at 11:04 PM William Herrin <bill@herrin.us> wrote:
On Fri, Feb 16, 2024 at 7:41 PM John R. Levine <johnl@iecc.com> wrote:
That it's possible to implement network security well without using NAT does not contradict the claim that NAT enhances network security.
I think we're each overgeneralizing from our individual expeience.
You can configure a V6 firewall to be default closed as easily as you can configure a NAT.
Hi John,
We're probably not speaking the same language. You're talking about configuring the function of one layer in a security stack. I'm talking about adding or removing a layer in a security stack. Address overloaded NAT in conjunction with private internal addresses is an additional layer in a security stack. It has security-relevant properties that the other layers don't duplicate. Regardless of how you configure it.
Also, you can't "configure" a layer to be default closed. That's a property of the security layer. It either is or it is not.
You can configure a layer to be "default deny," which I assume is what you meant. The issue is that anything that can be configured can be accidentally unconfigured. When default-deny is accidentally unconfigured, the network becomes wide open. When NAT is accidentally unconfigured, the network stops functioning entirely. The gate is closed.
Regards, Bill Herrin
-- William Herrin bill@herrin.us https://bill.herrin.us/