I guess Im stuck in the limited space mindset with NAT but many of our clients have multiple mail serverish devices on their networks that all need to present as the same IP to meet reverse DNS and spf I dont now whether my mindest on that is efficient or lazy We have alot of firewall access policies on our clients that limit access to only coming from our office firewall, nothing else, I suppose we could add all our workstations to that policy, or a subnet ( I assume ip6 has subnets)
On Wed, Jul 1, 2015 at 10:26 AM, Paul Stewart <[email protected]> wrote: > One other comment around "haven't had a security issue yet". I used to > get the same argument from a former co-worker and my question was always > "how do you know you haven't had a security issue?". > > It seems like a loaded question but unless you have some pretty advanced > security *in* your network, then most folks don' know they have been > breached. I showed someone a few years ago that their Windows server had > been pawned and they didn't believe me at first - then I showed that for > the previous 3 years someone had full access remotely to that server and > had been gathering data from it on regular basis. This server was behind > two layers of firewalls, host IDS, network IDS, anti-spyware, and > anti-virus. Pretty extreme example but have seen it happen more than > once... > > > -----Original Message----- > From: Af [mailto:[email protected]] On Behalf Of Glen Waldrop > Sent: Wednesday, July 1, 2015 11:16 AM > To: [email protected] > Subject: Re: [AFMUG] private ipv4 sale / leases > > Maybe I need to study a bit more, but I run MT, haven't had a security > issue yet. > > I've got a firewall configured on the MT. The only way I see into my > network is owning one of my routers, though you guys may educate me. > > We've had plenty of attempts. The only thing that has successfully shut us > down so far was the DNS DDoS attack saturating our fiber. > > I know nothing is 100% secure, but not having my personal network directly > on the Internet certainly seems better to me. > > > > ----- Original Message ----- > From: "Ken Hohhof" <[email protected]> > To: <[email protected]> > Sent: Wednesday, July 01, 2015 10:09 AM > Subject: Re: [AFMUG] private ipv4 sale / leases > > > > > > NAT is not security through obscurity, unless you're referring to 1:1 NAT > > which is not what most people mean when they say NAT. > > > > Setting up NAT in a Mikrotik illuminates the situation. In order for NAT > > (actually overloaded dynamic NAT/PAT) to work, you must turn on > connection > > tracking, allow incoming established and related, and block all other > > inbound traffic unless port forwarding is set up via dstnat. > > > > In other words, a stateful firewall. > > > > Now if you're talking about advanced firewall functions like > > detecting/blocking/reporting intrusion attempts, yeah that's great, but > > it's beyond what 99.99% of people implement in their firewall. > > > > > > > > -----Original Message----- > > From: Paul Stewart > > Sent: Wednesday, July 01, 2015 9:52 AM > > To: [email protected] > > Subject: Re: [AFMUG] private ipv4 sale / leases > > > > I'm not sure your argument is really valid.. NAT is "security through > > obscurity" which translates to "zero additional security" also known as > > "false security" > > > > IPv6 behind a stateful firewall is just as secure - some folks would > argue > > it's more secure but that argument would take several paragraphs to get > > into ;) > > > > -----Original Message----- > > From: Af [mailto:[email protected]] On Behalf Of Glen Waldrop > > Sent: Wednesday, July 1, 2015 10:01 AM > > To: [email protected] > > Subject: Re: [AFMUG] private ipv4 sale / leases > > > > Yeah, but the great thing about NAT is that my network isn't public. > > > > That is my primary argument with IPv6. > > > > > > > > ----- Original Message ----- > > From: "Chuck McCown" <[email protected]> > > To: <[email protected]> > > Sent: Wednesday, July 01, 2015 8:28 AM > > Subject: Re: [AFMUG] private ipv4 sale / leases > > > > > >> > >> You could use a single IPv6 to say, Mars. > >> > >> And everyone on Mars could have their own static IP that uses the first > >> 64 > >> to get to Mars and the second 64 to get to all the subscribers. > Assuming > >> routers exist that would do this. > >> > >> -----Original Message----- > >> From: Matt > >> Sent: Wednesday, July 01, 2015 7:22 AM > >> To: [email protected] > >> Subject: Re: [AFMUG] private ipv4 sale / leases > >> > >>> Just saying that NAT is not needed. Every single IP gives you so much > >>> address space that you will never be able to use it. > >>> > >>> Essentially a number of globally routable set of static IPs come with > >>> every IP such that one single IP could probably run the whole planet > >>> right now. > >> > >> You mean every /64 which is minimum customer assignment in most > >> respects does. A single IPv6 IP is still just a single IP. > >> > > > > > > > > > > > -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team.
