One other comment around "haven't had a security issue yet". I used to get the same argument from a former co-worker and my question was always "how do you know you haven't had a security issue?".
It seems like a loaded question but unless you have some pretty advanced security *in* your network, then most folks don' know they have been breached. I showed someone a few years ago that their Windows server had been pawned and they didn't believe me at first - then I showed that for the previous 3 years someone had full access remotely to that server and had been gathering data from it on regular basis. This server was behind two layers of firewalls, host IDS, network IDS, anti-spyware, and anti-virus. Pretty extreme example but have seen it happen more than once... -----Original Message----- From: Af [mailto:[email protected]] On Behalf Of Glen Waldrop Sent: Wednesday, July 1, 2015 11:16 AM To: [email protected] Subject: Re: [AFMUG] private ipv4 sale / leases Maybe I need to study a bit more, but I run MT, haven't had a security issue yet. I've got a firewall configured on the MT. The only way I see into my network is owning one of my routers, though you guys may educate me. We've had plenty of attempts. The only thing that has successfully shut us down so far was the DNS DDoS attack saturating our fiber. I know nothing is 100% secure, but not having my personal network directly on the Internet certainly seems better to me. ----- Original Message ----- From: "Ken Hohhof" <[email protected]> To: <[email protected]> Sent: Wednesday, July 01, 2015 10:09 AM Subject: Re: [AFMUG] private ipv4 sale / leases > > NAT is not security through obscurity, unless you're referring to 1:1 NAT > which is not what most people mean when they say NAT. > > Setting up NAT in a Mikrotik illuminates the situation. In order for NAT > (actually overloaded dynamic NAT/PAT) to work, you must turn on connection > tracking, allow incoming established and related, and block all other > inbound traffic unless port forwarding is set up via dstnat. > > In other words, a stateful firewall. > > Now if you're talking about advanced firewall functions like > detecting/blocking/reporting intrusion attempts, yeah that's great, but > it's beyond what 99.99% of people implement in their firewall. > > > > -----Original Message----- > From: Paul Stewart > Sent: Wednesday, July 01, 2015 9:52 AM > To: [email protected] > Subject: Re: [AFMUG] private ipv4 sale / leases > > I'm not sure your argument is really valid.. NAT is "security through > obscurity" which translates to "zero additional security" also known as > "false security" > > IPv6 behind a stateful firewall is just as secure - some folks would argue > it's more secure but that argument would take several paragraphs to get > into ;) > > -----Original Message----- > From: Af [mailto:[email protected]] On Behalf Of Glen Waldrop > Sent: Wednesday, July 1, 2015 10:01 AM > To: [email protected] > Subject: Re: [AFMUG] private ipv4 sale / leases > > Yeah, but the great thing about NAT is that my network isn't public. > > That is my primary argument with IPv6. > > > > ----- Original Message ----- > From: "Chuck McCown" <[email protected]> > To: <[email protected]> > Sent: Wednesday, July 01, 2015 8:28 AM > Subject: Re: [AFMUG] private ipv4 sale / leases > > >> >> You could use a single IPv6 to say, Mars. >> >> And everyone on Mars could have their own static IP that uses the first >> 64 >> to get to Mars and the second 64 to get to all the subscribers. Assuming >> routers exist that would do this. >> >> -----Original Message----- >> From: Matt >> Sent: Wednesday, July 01, 2015 7:22 AM >> To: [email protected] >> Subject: Re: [AFMUG] private ipv4 sale / leases >> >>> Just saying that NAT is not needed. Every single IP gives you so much >>> address space that you will never be able to use it. >>> >>> Essentially a number of globally routable set of static IPs come with >>> every IP such that one single IP could probably run the whole planet >>> right now. >> >> You mean every /64 which is minimum customer assignment in most >> respects does. A single IPv6 IP is still just a single IP. >> > > > >
