Very Correct Glen. Nat is not secure. It’s like blending your door into the rest of your house. The door is still there just a little harder to find. But if there are no locks it’s still an unlocked door.
Justin --- Justin Wilson <[email protected]> http://www.mtin.net <http://www.mtin.net/> Managed Services – xISP Solutions – Data Centers http://www.thebrotherswisp.com <http://www.thebrotherswisp.com/> Podcast about xISP topics http://www.midwest-ix.com <http://www.midwest-ix.com/> Peering – Transit – Internet Exchange > On Jul 1, 2015, at 12:21 PM, Glen Waldrop <[email protected]> wrote: > > I think we're having two different conversations here. > > I'm using NAT with a firewall. I don't think anyone is saying NAT by itself > is secure. > > >> ----- Original Message ----- >> From: Justin Wilson - MTIN <mailto:[email protected]> >> To: [email protected] <mailto:[email protected]> >> Sent: Wednesday, July 01, 2015 11:01 AM >> Subject: Re: [AFMUG] private ipv4 sale / leases >> >> IPV6 is very DNS orientated. There is no way you are going to remember ip >> addresses like you do in V4. DNS and backend systems are going to become >> more and more critical to the ISPs who are providing V6. Also, IMHO, more >> and more managed routers are going to be deployed as folks go to V6. Those >> who support customer owned routers will be overwhelmed if they follow the >> same philosophy with V6 routers. Full IPv6 support is severely lacking in >> many manufacturers. So, now you have semi-compliant devices out there with >> buggy software doing weird things. This becomes a troubleshooting nightmare >> for folks. To combat this I think we will see those deploying V6 sending >> out a “modem” or managed router that is the endpoint. Right now, if you >> are running your CPE in router mode (which I encourage) your options for V6 >> support are very limited. Mikrotik will do this. UBNT won’t. Cambium >> won’t. >> >> The false sense of security folks have fallen into is Nat is just security >> by obscurity. It’s not really security. For the typical home user it’s on >> the borderline of good enough. As folks move away from nat to V6 you will >> also see performance increases on higher bandwidth circuits. Nat causes a >> performance hit. The router has to keep track of translation tables and the >> like. >> >> V6 still travels over port 80, 110,etc. You simply need a firewall that >> understands V6 and away you go. This is where IP management software can >> help you. Some of them out there can export to DNS, can create iptables >> rules, etc. With V6 the goal is to have more things automated on the >> backend. >> >> Justin >> >> --- >> Justin Wilson <[email protected] <mailto:[email protected]>> >> http://www.mtin.net <http://www.mtin.net/> Managed Services – xISP >> Solutions – Data Centers >> http://www.thebrotherswisp.com <http://www.thebrotherswisp.com/> Podcast >> about xISP topics >> http://www.midwest-ix.com <http://www.midwest-ix.com/> Peering – Transit – >> Internet Exchange >> >>> On Jul 1, 2015, at 11:38 AM, That One Guy /sarcasm >>> <[email protected] <mailto:[email protected]>> wrote: >>> >>> I guess Im stuck in the limited space mindset with NAT >>> but many of our clients have multiple mail serverish devices on their >>> networks that all need to present as the same IP to meet reverse DNS and spf >>> I dont now whether my mindest on that is efficient or lazy >>> We have alot of firewall access policies on our clients that limit access >>> to only coming from our office firewall, nothing else, I suppose we could >>> add all our workstations to that policy, or a subnet ( I assume ip6 has >>> subnets) >>> >>> On Wed, Jul 1, 2015 at 10:26 AM, Paul Stewart <[email protected] >>> <mailto:[email protected]>> wrote: >>>> One other comment around "haven't had a security issue yet". I used to >>>> get the same argument from a former co-worker and my question was always >>>> "how do you know you haven't had a security issue?". >>>> >>>> It seems like a loaded question but unless you have some pretty advanced >>>> security *in* your network, then most folks don' know they have been >>>> breached. I showed someone a few years ago that their Windows server had >>>> been pawned and they didn't believe me at first - then I showed that for >>>> the previous 3 years someone had full access remotely to that server and >>>> had been gathering data from it on regular basis. This server was behind >>>> two layers of firewalls, host IDS, network IDS, anti-spyware, and >>>> anti-virus. Pretty extreme example but have seen it happen more than >>>> once... >>>> >>>> >>>> -----Original Message----- >>>> From: Af [mailto:[email protected] <mailto:[email protected]>] On >>>> Behalf Of Glen Waldrop >>>> Sent: Wednesday, July 1, 2015 11:16 AM >>>> To: [email protected] <mailto:[email protected]> >>>> Subject: Re: [AFMUG] private ipv4 sale / leases >>>> >>>> Maybe I need to study a bit more, but I run MT, haven't had a security >>>> issue yet. >>>> >>>> I've got a firewall configured on the MT. The only way I see into my >>>> network is owning one of my routers, though you guys may educate me. >>>> >>>> We've had plenty of attempts. The only thing that has successfully shut us >>>> down so far was the DNS DDoS attack saturating our fiber. >>>> >>>> I know nothing is 100% secure, but not having my personal network directly >>>> on the Internet certainly seems better to me. >>>> >>>> >>>> >>>> ----- Original Message ----- >>>> From: "Ken Hohhof" <[email protected] <mailto:[email protected]>> >>>> To: <[email protected] <mailto:[email protected]>> >>>> Sent: Wednesday, July 01, 2015 10:09 AM >>>> Subject: Re: [AFMUG] private ipv4 sale / leases >>>> >>>> >>>> > >>>> > NAT is not security through obscurity, unless you're referring to 1:1 NAT >>>> > which is not what most people mean when they say NAT. >>>> > >>>> > Setting up NAT in a Mikrotik illuminates the situation. In order for NAT >>>> > (actually overloaded dynamic NAT/PAT) to work, you must turn on >>>> > connection >>>> > tracking, allow incoming established and related, and block all other >>>> > inbound traffic unless port forwarding is set up via dstnat. >>>> > >>>> > In other words, a stateful firewall. >>>> > >>>> > Now if you're talking about advanced firewall functions like >>>> > detecting/blocking/reporting intrusion attempts, yeah that's great, but >>>> > it's beyond what 99.99% of people implement in their firewall. >>>> > >>>> > >>>> > >>>> > -----Original Message----- >>>> > From: Paul Stewart >>>> > Sent: Wednesday, July 01, 2015 9:52 AM >>>> > To: [email protected] <mailto:[email protected]> >>>> > Subject: Re: [AFMUG] private ipv4 sale / leases >>>> > >>>> > I'm not sure your argument is really valid.. NAT is "security through >>>> > obscurity" which translates to "zero additional security" also known as >>>> > "false security" >>>> > >>>> > IPv6 behind a stateful firewall is just as secure - some folks would >>>> > argue >>>> > it's more secure but that argument would take several paragraphs to get >>>> > into ;) >>>> > >>>> > -----Original Message----- >>>> > From: Af [mailto:[email protected] <mailto:[email protected]>] On >>>> > Behalf Of Glen Waldrop >>>> > Sent: Wednesday, July 1, 2015 10:01 AM >>>> > To: [email protected] <mailto:[email protected]> >>>> > Subject: Re: [AFMUG] private ipv4 sale / leases >>>> > >>>> > Yeah, but the great thing about NAT is that my network isn't public. >>>> > >>>> > That is my primary argument with IPv6. >>>> > >>>> > >>>> > >>>> > ----- Original Message ----- >>>> > From: "Chuck McCown" <[email protected] <mailto:[email protected]>> >>>> > To: <[email protected] <mailto:[email protected]>> >>>> > Sent: Wednesday, July 01, 2015 8:28 AM >>>> > Subject: Re: [AFMUG] private ipv4 sale / leases >>>> > >>>> > >>>> >> >>>> >> You could use a single IPv6 to say, Mars. >>>> >> >>>> >> And everyone on Mars could have their own static IP that uses the first >>>> >> 64 >>>> >> to get to Mars and the second 64 to get to all the subscribers. >>>> >> Assuming >>>> >> routers exist that would do this. >>>> >> >>>> >> -----Original Message----- >>>> >> From: Matt >>>> >> Sent: Wednesday, July 01, 2015 7:22 AM >>>> >> To: [email protected] <mailto:[email protected]> >>>> >> Subject: Re: [AFMUG] private ipv4 sale / leases >>>> >> >>>> >>> Just saying that NAT is not needed. Every single IP gives you so much >>>> >>> address space that you will never be able to use it. >>>> >>> >>>> >>> Essentially a number of globally routable set of static IPs come with >>>> >>> every IP such that one single IP could probably run the whole planet >>>> >>> right now. >>>> >> >>>> >> You mean every /64 which is minimum customer assignment in most >>>> >> respects does. A single IPv6 IP is still just a single IP. >>>> >> >>>> > >>>> > >>>> > >>>> > >>>> >>>> >>> >>> >>> >>> -- >>> If you only see yourself as part of the team but you don't see your team as >>> part of yourself you have already failed as part of the team. >> >
