I correlate the NAT security to a daughters bedroom. Most fathers dont have an exterior door on their daughters bedroom You dont just walk directly in, sure somebody can put a ladder to her window (port forward) but by defaul there is a slight measure of security because you have to come in the house door and traverse your way to her bedroom Now, its always best to have a firewall (you put the daughters bedroom at the end of the hall past dads room) Then to be super secure, you put in a Smith and Wesson IDS
On Wed, Jul 1, 2015 at 11:25 AM, Justin Wilson - MTIN <li...@mtin.net> wrote: > Very Correct Glen. Nat is not secure. It’s like blending your door into > the rest of your house. The door is still there just a little harder to > find. But if there are no locks it’s still an unlocked door. > > Justin > > --- > Justin Wilson <j...@mtin.net> > http://www.mtin.net Managed Services – xISP Solutions – Data Centers > http://www.thebrotherswisp.com Podcast about xISP topics > http://www.midwest-ix.com Peering – Transit – Internet Exchange > > On Jul 1, 2015, at 12:21 PM, Glen Waldrop <gwl...@cngwireless.net> wrote: > > I think we're having two different conversations here. > > I'm using NAT with a firewall. I don't think anyone is saying NAT by > itself is secure. > > > > ----- Original Message ----- > *From:* Justin Wilson - MTIN <li...@mtin.net> > *To:* af@afmug.com > *Sent:* Wednesday, July 01, 2015 11:01 AM > *Subject:* Re: [AFMUG] private ipv4 sale / leases > > IPV6 is very DNS orientated. There is no way you are going to remember ip > addresses like you do in V4. DNS and backend systems are going to become > more and more critical to the ISPs who are providing V6. Also, IMHO, more > and more managed routers are going to be deployed as folks go to V6. Those > who support customer owned routers will be overwhelmed if they follow the > same philosophy with V6 routers. Full IPv6 support is severely lacking in > many manufacturers. So, now you have semi-compliant devices out there with > buggy software doing weird things. This becomes a troubleshooting > nightmare for folks. To combat this I think we will see those deploying > V6 sending out a “modem” or managed router that is the endpoint. Right > now, if you are running your CPE in router mode (which I encourage) your > options for V6 support are very limited. Mikrotik will do this. UBNT > won’t. Cambium won’t. > > The false sense of security folks have fallen into is Nat is just security > by obscurity. It’s not really security. For the typical home user it’s on > the borderline of good enough. As folks move away from nat to V6 you will > also see performance increases on higher bandwidth circuits. Nat causes a > performance hit. The router has to keep track of translation tables and > the like. > > V6 still travels over port 80, 110,etc. You simply need a firewall that > understands V6 and away you go. This is where IP management software can > help you. Some of them out there can export to DNS, can create iptables > rules, etc. With V6 the goal is to have more things automated on the > backend. > > Justin > > --- > Justin Wilson <j...@mtin.net> > http://www.mtin.net Managed Services – xISP Solutions – Data Centers > http://www.thebrotherswisp.com Podcast about xISP topics > http://www.midwest-ix.com Peering – Transit – Internet Exchange > > On Jul 1, 2015, at 11:38 AM, That One Guy /sarcasm < > thatoneguyst...@gmail.com> wrote: > > I guess Im stuck in the limited space mindset with NAT > but many of our clients have multiple mail serverish devices on their > networks that all need to present as the same IP to meet reverse DNS and spf > I dont now whether my mindest on that is efficient or lazy > We have alot of firewall access policies on our clients that limit access > to only coming from our office firewall, nothing else, I suppose we could > add all our workstations to that policy, or a subnet ( I assume ip6 has > subnets) > > On Wed, Jul 1, 2015 at 10:26 AM, Paul Stewart <p...@paulstewart.org> > wrote: > >> One other comment around "haven't had a security issue yet". I used to >> get the same argument from a former co-worker and my question was always >> "how do you know you haven't had a security issue?". >> >> It seems like a loaded question but unless you have some pretty advanced >> security *in* your network, then most folks don' know they have been >> breached. I showed someone a few years ago that their Windows server had >> been pawned and they didn't believe me at first - then I showed that for >> the previous 3 years someone had full access remotely to that server and >> had been gathering data from it on regular basis. This server was behind >> two layers of firewalls, host IDS, network IDS, anti-spyware, and >> anti-virus. Pretty extreme example but have seen it happen more than >> once... >> >> >> -----Original Message----- >> From: Af [mailto:af-boun...@afmug.com] On Behalf Of Glen Waldrop >> Sent: Wednesday, July 1, 2015 11:16 AM >> To: af@afmug.com >> Subject: Re: [AFMUG] private ipv4 sale / leases >> >> Maybe I need to study a bit more, but I run MT, haven't had a security >> issue yet. >> >> I've got a firewall configured on the MT. The only way I see into my >> network is owning one of my routers, though you guys may educate me. >> >> We've had plenty of attempts. The only thing that has successfully shut >> us down so far was the DNS DDoS attack saturating our fiber. >> >> I know nothing is 100% secure, but not having my personal network >> directly on the Internet certainly seems better to me. >> >> >> >> ----- Original Message ----- >> From: "Ken Hohhof" <af...@kwisp.com> >> To: <af@afmug.com> >> Sent: Wednesday, July 01, 2015 10:09 AM >> Subject: Re: [AFMUG] private ipv4 sale / leases >> >> >> > >> > NAT is not security through obscurity, unless you're referring to 1:1 >> NAT >> > which is not what most people mean when they say NAT. >> > >> > Setting up NAT in a Mikrotik illuminates the situation. In order for >> NAT >> > (actually overloaded dynamic NAT/PAT) to work, you must turn on >> connection >> > tracking, allow incoming established and related, and block all other >> > inbound traffic unless port forwarding is set up via dstnat. >> > >> > In other words, a stateful firewall. >> > >> > Now if you're talking about advanced firewall functions like >> > detecting/blocking/reporting intrusion attempts, yeah that's great, but >> > it's beyond what 99.99% of people implement in their firewall. >> > >> > >> > >> > -----Original Message----- >> > From: Paul Stewart >> > Sent: Wednesday, July 01, 2015 9:52 AM >> > To: af@afmug.com >> > Subject: Re: [AFMUG] private ipv4 sale / leases >> > >> > I'm not sure your argument is really valid.. NAT is "security through >> > obscurity" which translates to "zero additional security" also known as >> > "false security" >> > >> > IPv6 behind a stateful firewall is just as secure - some folks would >> argue >> > it's more secure but that argument would take several paragraphs to get >> > into ;) >> > >> > -----Original Message----- >> > From: Af [mailto:af-boun...@afmug.com] On Behalf Of Glen Waldrop >> > Sent: Wednesday, July 1, 2015 10:01 AM >> > To: af@afmug.com >> > Subject: Re: [AFMUG] private ipv4 sale / leases >> > >> > Yeah, but the great thing about NAT is that my network isn't public. >> > >> > That is my primary argument with IPv6. >> > >> > >> > >> > ----- Original Message ----- >> > From: "Chuck McCown" <ch...@wbmfg.com> >> > To: <af@afmug.com> >> > Sent: Wednesday, July 01, 2015 8:28 AM >> > Subject: Re: [AFMUG] private ipv4 sale / leases >> > >> > >> >> >> >> You could use a single IPv6 to say, Mars. >> >> >> >> And everyone on Mars could have their own static IP that uses the first >> >> 64 >> >> to get to Mars and the second 64 to get to all the subscribers. >> Assuming >> >> routers exist that would do this. >> >> >> >> -----Original Message----- >> >> From: Matt >> >> Sent: Wednesday, July 01, 2015 7:22 AM >> >> To: af@afmug.com >> >> Subject: Re: [AFMUG] private ipv4 sale / leases >> >> >> >>> Just saying that NAT is not needed. Every single IP gives you so much >> >>> address space that you will never be able to use it. >> >>> >> >>> Essentially a number of globally routable set of static IPs come with >> >>> every IP such that one single IP could probably run the whole planet >> >>> right now. >> >> >> >> You mean every /64 which is minimum customer assignment in most >> >> respects does. A single IPv6 IP is still just a single IP. >> >> >> > >> > >> > >> > >> >> >> > > > -- > If you only see yourself as part of the team but you don't see your team > as part of yourself you have already failed as part of the team. > > > > > -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team.
