Re: [nznog] Web Servers: Dual-homing or DNAT/Port Forwarding?
Wotcha,
Number 1 gets you thinking along the IPv6 route (no pun, and imho :) ) since you have to treat each boxes as if it was public.
I see this kind of statement surprisingly often. Having a public address doesn't make a device public. I don't really see a drive to have devices exposed to the internet without a stateful device in front of them in IPv6 world. People shouldn't allow unsolicited connections to hit your internal workstation on any address scheme. Cheers, Alex. Date: Tue, 10 Dec 2013 05:56:41 +1300 From: Pieter De Wit <pieter@insync.za.net> To: nznog@list.waikato.ac.nz Subject: Re: [nznog] Web Servers: Dual-homing or DNAT/Port Forwarding? Message-ID: <52A5F649.7070904@insync.za.net> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed" Hi, I normally use a combination of "1" and "2". I prefer 1 for weird and "not nat friendly" protocols, like SIP or some other application. The general rule of thumb is to use number 2 in other cases. In both setups, remember to deploy local firewalls as well. This will help for the case when a box on the subnet is hacked. My other twist is to deploy "1" without the private NIC, along with local firewalls (and as you said, dedicated FW). Number 1 gets you thinking along the IPv6 route (no pun, and imho :) ) since you have to treat each boxes as if it was public. Cheers, Pieter
On 11/12/13 10:13 am, "Alex White-Robinson" <alexwr@gmail.com> wrote:
Wotcha,
Number 1 gets you thinking along the IPv6 route (no pun, and imho :) ) since you have to treat each boxes as if it was public.
I see this kind of statement surprisingly often. Having a public address doesn't make a device public.
Yes it does, it makes end to end connectivity work again. NAT broke that (and its one of the best things about v6). People have been relying on the fact that you need rules to get through a NAT to reach a box - thereby having NAT work as an inbound firewall. NAT != Security. But yes having a public address means your box is public, you have to do something to STOP traffic getting to it. With NAT you have to do something to ENABLE traffic to get to it.
I don't really see a drive to have devices exposed to the internet without a stateful device in front of them in IPv6 world. People shouldn't allow unsolicited connections to hit your internal workstation on any address scheme.
Cheers, Alex.
Date: Tue, 10 Dec 2013 05:56:41 +1300 From: Pieter De Wit <pieter@insync.za.net> To: nznog@list.waikato.ac.nz Subject: Re: [nznog] Web Servers: Dual-homing or DNAT/Port Forwarding? Message-ID: <52A5F649.7070904@insync.za.net> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
Hi,
I normally use a combination of "1" and "2". I prefer 1 for weird and "not nat friendly" protocols, like SIP or some other application. The general rule of thumb is to use number 2 in other cases. In both setups, remember to deploy local firewalls as well. This will help for the case when a box on the subnet is hacked.
My other twist is to deploy "1" without the private NIC, along with local firewalls (and as you said, dedicated FW).
Number 1 gets you thinking along the IPv6 route (no pun, and imho :) ) since you have to treat each boxes as if it was public.
Cheers,
Pieter
On Dec 10, 2013 2:32 PM, "Geraint Jones" <geraint@koding.com> wrote:
On 11/12/13 10:13 am, "Alex White-Robinson" <alexwr@gmail.com> wrote:
Wotcha,
Number 1 gets you thinking along the IPv6 route (no pun, and imho :) ) since you have to treat each boxes as if it was public.
I see this kind of statement surprisingly often. Having a public address doesn't make a device public.
Yes it does, it makes end to end connectivity work again. NAT broke that (and its one of the best things about v6). People have been relying on the fact that you need rules to get through a NAT to reach a box - thereby having NAT work as an inbound firewall. NAT != Security.
But yes having a public address means your box is public, you have to do something to STOP traffic getting to it. With NAT you have to do something to ENABLE traffic to get to it.
Correct. IPv6 correctly supports the end to end model. Firewalls can be scalably implemented on host, not middle boxes. The firewall mindset is locked in from the win2k days, NAT reinforced that, and it is worth re-evaluated removing firewalls with ipv6 Question: are nanog meeting networks stateful firewalled? Follow up question -- if there is no firewall, do folks experience a higher degree of malware infection after the meeting ? CB
I don't really see a drive to have devices exposed to the internet without a stateful device in front of them in IPv6 world. People shouldn't allow unsolicited connections to hit your internal workstation on any address scheme.
Cheers, Alex.
Date: Tue, 10 Dec 2013 05:56:41 +1300 From: Pieter De Wit <pieter@insync.za.net> To: nznog@list.waikato.ac.nz Subject: Re: [nznog] Web Servers: Dual-homing or DNAT/Port Forwarding? Message-ID: <52A5F649.7070904@insync.za.net> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
Hi,
I normally use a combination of "1" and "2". I prefer 1 for weird and "not nat friendly" protocols, like SIP or some other application. The general rule of thumb is to use number 2 in other cases. In both setups, remember to deploy local firewalls as well. This will help for the case when a box on the subnet is hacked.
My other twist is to deploy "1" without the private NIC, along with local firewalls (and as you said, dedicated FW).
Number 1 gets you thinking along the IPv6 route (no pun, and imho :) ) since you have to treat each boxes as if it was public.
Cheers,
Pieter
On Dec 10, 2013, at 8:27 PM, cb.list6 <cb.list6@gmail.com> wrote:
Correct. IPv6 correctly supports the end to end model.
Yes, if you know the IP address of my printer you can use up my toner (it’s already low) and paper. Then again, It’s IPv6 so good luck finding it. The first nibble is 2. Let me know when you’ve found it. :) I’ve actually had to deal with too many networks that perform MITM or other activities that I actually find it useful to VPN to get a public, unfiltered IP address. The days of a machine that are hit with malware in minutes/seconds are done. The background radiation is still there, but it’s far more effective to use other methods (spam, social networks, ad networks, etc)… Doesn’t mean that’s the only way, but many of the ‘easily exploitable’ methods from a decade ago are no longer there. - Jared
Greetings, On Tue, 10 Dec 2013, Jared Mauch wrote:
On Dec 10, 2013, at 8:27 PM, cb.list6 <cb.list6@gmail.com> wrote:
Correct. IPv6 correctly supports the end to end model.
Yes, if you know the IP address of my printer you can use up my toner (it’s already low) and paper. Then again, It’s IPv6 so good luck finding it. The first nibble is 2. Let me know when you’ve found it.
:)
I think I have narrowed it down a wee bit (based on your email header). [2001:418:3f4::5] plus or minus a few on the last digit... --- Jay Nugent () ascii ribbon campaign in /\ support of plain text e-mail Averaging at least 3 days of MTBWTF!?!?!? The solution for long term Internet growth is IPv6. +------------------------------------------------------------------------+ | Jay Nugent jjn@nuge.com (734)484-5105 (734)649-0850/Cell | | Nugent Telecommunications [www.nuge.com] | | Internet Consulting/Linux SysAdmin/Engineering & Design | | ISP Monitoring [www.ispmonitor.org] ISP & Modem Performance Monitoring | +------------------------------------------------------------------------+ 00:01:02 up 19 days, 6:18, 1 user, load average: 0.07, 0.20, 0.22
participants (5)
-
Alex White-Robinson
-
cb.list6
-
Geraint Jones
-
Jared Mauch
-
Jay Nugent