Re: [AFMUG] private ipv4 sale / leases

[Bill Prince]

and bars on the windows?

bp
<part15sbs{at}gmail{dot}com>

On 7/1/2015 10:26 AM, That One Guy /sarcasm wrote:

I correlate the NAT security to a daughters bedroom.
Most fathers dont have an exterior door on their daughters bedroom

You dont just walk directly in, sure somebody can put a ladder to her window (port forward) but by defaul there is a slight measure of security because you have to come in the house door and traverse your way to her bedroom Now, its always best to have a firewall (you put the daughters bedroom at the end of the hall past dads room)

Then to be super secure, you put in a Smith and Wesson IDS

On Wed, Jul 1, 2015 at 11:25 AM, Justin Wilson - MTIN <li...@mtin.net <mailto:li...@mtin.net>> wrote:

    Very Correct Glen.  Nat is not secure.  It’s like blending your
    door into the rest of your house.  The door is still there just a
    little harder to find.  But if there are no locks it’s still an
    unlocked door.

    Justin

    ---
    Justin Wilson <j...@mtin.net <mailto:j...@mtin.net>>
    http://www.mtin.net  Managed Services – xISP Solutions – Data Centers
    http://www.thebrotherswisp.com Podcast about xISP topics
    http://www.midwest-ix.com Peering – Transit – Internet Exchange

    On Jul 1, 2015, at 12:21 PM, Glen Waldrop <gwl...@cngwireless.net
    <mailto:gwl...@cngwireless.net>> wrote:

    I think we're having two different conversations here.

    I'm using NAT with a firewall. I don't think anyone is saying NAT
    by itself is secure.

    ----- Original Message -----
    *From:*Justin Wilson - MTIN <mailto:li...@mtin.net>
    *To:*af@afmug.com <mailto:af@afmug.com>
    *Sent:*Wednesday, July 01, 2015 11:01 AM
    *Subject:*Re: [AFMUG] private ipv4 sale / leases

    IPV6 is very DNS orientated.  There is no way you are going to
    remember ip addresses like you do in V4.  DNS and backend
    systems are going to become more and more critical to the ISPs
    who are providing V6.  Also, IMHO, more and more managed routers
    are going to be deployed as folks go to V6.  Those who support
    customer owned routers will be overwhelmed if they follow the
    same philosophy with V6 routers. Full IPv6 support is severely
    lacking in many manufacturers.  So, now you have semi-compliant
    devices out there with buggy software doing weird things.  This
    becomes a troubleshooting nightmare for folks.    To combat this
    I think we will see those deploying V6 sending out a “modem” or
    managed router that is the endpoint.   Right now, if you are
    running your CPE in router mode (which I encourage) your options
    for V6 support are very limited.  Mikrotik will do this.  UBNT
    won’t.  Cambium won’t.

    The false sense of security folks have fallen into is Nat is
    just security by obscurity.  It’s not really security.  For the
    typical home user it’s on the borderline of good enough.   As
    folks move away from nat to V6 you will also see performance
    increases on higher bandwidth circuits.  Nat causes a
    performance hit.  The router has to keep track of translation
    tables and the like.

    V6 still travels over port 80, 110,etc. You simply need a
    firewall that understands V6 and away you go.  This is where IP
    management software can help you. Some of them out there can
    export to DNS, can create iptables rules, etc.   With V6 the
    goal is to have more things automated on the backend.

    Justin

    ---
    Justin Wilson <j...@mtin.net <mailto:j...@mtin.net>>
    http://www.mtin.net <http://www.mtin.net/>  Managed Services –
    xISP Solutions – Data Centers
    http://www.thebrotherswisp.com
    <http://www.thebrotherswisp.com/> Podcast about xISP topics
    http://www.midwest-ix.com <http://www.midwest-ix.com/> Peering –
    Transit – Internet Exchange

    On Jul 1, 2015, at 11:38 AM, That One Guy /sarcasm
    <thatoneguyst...@gmail.com <mailto:thatoneguyst...@gmail.com>>
    wrote:

    I guess Im stuck in the limited space mindset with NAT
    but many of our clients have multiple mail serverish devices on
    their networks that all need to present as the same IP to meet
    reverse DNS and spf
    I dont now whether my mindest on that is efficient or lazy
    We have alot of firewall access policies on our clients that
    limit access to only coming from our office firewall, nothing
    else, I suppose we could add all our workstations to that
    policy, or a subnet ( I assume ip6 has subnets)

    On Wed, Jul 1, 2015 at 10:26 AM, Paul
    Stewart<p...@paulstewart.org <mailto:p...@paulstewart.org>>wrote:

One other comment around "haven't had a security issue yet". I used to get the same argument from a former co-worker and my

    question was always "how do you know you haven't had a
    security issue?".

    It seems like a loaded question but unless you have some
    pretty advanced security *in* your network, then most folks
    don' know they have been breached.  I showed someone a few
    years ago that their Windows server had been pawned and they
    didn't believe me at first - then I showed that for the
    previous 3 years someone had full access remotely to that

server and had been gathering data from it on regular basis. This server was behind two layers of firewalls, host IDS,

    network IDS, anti-spyware, and anti-virus.  Pretty extreme
    example but have seen it happen more than once...


    -----Original Message-----
    From: Af [mailto:af-boun...@afmug.com
    <mailto:af-boun...@afmug.com>] On Behalf Of Glen Waldrop
    Sent: Wednesday, July 1, 2015 11:16 AM
    To:af@afmug.com <mailto:af@afmug.com>
    Subject: Re: [AFMUG] private ipv4 sale / leases

    Maybe I need to study a bit more, but I run MT, haven't had a
    security issue yet.

    I've got a firewall configured on the MT. The only way I see
    into my network is owning one of my routers, though you guys
    may educate me.

    We've had plenty of attempts. The only thing that has
    successfully shut us down so far was the DNS DDoS attack
    saturating our fiber.

    I know nothing is 100% secure, but not having my personal
    network directly on the Internet certainly seems better to me.



    ----- Original Message -----
    From: "Ken Hohhof" <af...@kwisp.com <mailto:af...@kwisp.com>>
    To: <af@afmug.com <mailto:af@afmug.com>>
    Sent: Wednesday, July 01, 2015 10:09 AM
    Subject: Re: [AFMUG] private ipv4 sale / leases


    >
    > NAT is not security through obscurity, unless you're referring to 1:1 NAT
    > which is not what most people mean when they say NAT.
    >
    > Setting up NAT in a Mikrotik illuminates the situation.  In
    order for NAT
    > (actually overloaded dynamic NAT/PAT) to work, you must turn
    on connection
    > tracking, allow incoming established and related, and block
    all other
    > inbound traffic unless port forwarding is set up via dstnat.
    >
    > In other words, a stateful firewall.
    >
    > Now if you're talking about advanced firewall functions like
    > detecting/blocking/reporting intrusion attempts, yeah that's
    great, but
    > it's beyond what 99.99% of people implement in their firewall.
    >
    >
    >
    > -----Original Message-----
    > From: Paul Stewart
    > Sent: Wednesday, July 01, 2015 9:52 AM
    > To:af@afmug.com <mailto:af@afmug.com>
    > Subject: Re: [AFMUG] private ipv4 sale / leases
    >
    > I'm not sure your argument is really valid.. NAT is
    "security through
    > obscurity" which translates to "zero additional security"
    also known as
    > "false security"
    >
    > IPv6 behind a stateful firewall is just as secure - some
    folks would argue
    > it's more secure but that argument would take several
    paragraphs to get
    > into ;)
    >
    > -----Original Message-----
    > From: Af [mailto:af-boun...@afmug.com
    <mailto:af-boun...@afmug.com>] On Behalf Of Glen Waldrop
    > Sent: Wednesday, July 1, 2015 10:01 AM
    > To:af@afmug.com <mailto:af@afmug.com>
    > Subject: Re: [AFMUG] private ipv4 sale / leases
    >
    > Yeah, but the great thing about NAT is that my network isn't
    public.
    >
    > That is my primary argument with IPv6.
    >
    >
    >
    > ----- Original Message -----
    > From: "Chuck McCown" <ch...@wbmfg.com <mailto:ch...@wbmfg.com>>
    > To: <af@afmug.com <mailto:af@afmug.com>>
    > Sent: Wednesday, July 01, 2015 8:28 AM
    > Subject: Re: [AFMUG] private ipv4 sale / leases
    >
    >
    >>
    >> You could use a single IPv6 to say, Mars.
    >>
    >> And everyone on Mars could have their own static IP that
    uses the first
    >> 64
    >> to get to Mars and the second 64 to get to all the
    subscribers. Assuming
    >> routers exist that would do this.
    >>
    >> -----Original Message-----
    >> From: Matt
    >> Sent: Wednesday, July 01, 2015 7:22 AM
    >> To:af@afmug.com <mailto:af@afmug.com>
    >> Subject: Re: [AFMUG] private ipv4 sale / leases
    >>
    >>> Just saying that NAT is not needed. Every single IP gives
    you so much
    >>> address space that you will never be able to use it.
    >>>
    >>> Essentially a number of globally routable set of static
    IPs come with
    >>> every IP such that one single IP could probably run the
    whole planet
    >>> right now.
    >>
    >> You mean every /64 which is minimum customer assignment in most
    >> respects does.  A single IPv6 IP is still just a single IP.
    >>
    >
    >
    >
    >

    --
    If you only see yourself as part of the team but you don't see
    your team as part of yourself you have already failed as part
    of the team.

--

If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team.