Not sure if anyone has thought of it like this, but:
Air Gap is still only as secure as the people with access to it. NAT and
firewalls provide a compromise between security and connectivity. But remember
that at a power plant, the PBX system still connects to the outside world, and
there is a
On Nov 15, 2011, at 6:07 PM, Karl Auer wrote:
On Wed, 2011-11-16 at 12:20 +1100, Mark Andrews wrote:
You are making assumptions about how the NAT is designed.
[...]
Unless you know the internals of a NAT you cannot say whether it
fails open or closed.
Indeed not!
From 2010, during an
On Nov 15, 2011, at 7:08 PM, Jay Ashworth wrote:
- Original Message -
From: Mark Andrews ma...@isc.org
In message
29838609.2919.1321392184239.javamail.r...@benjamin.baylink.com, Ja
y Ashworth writes:
If your firewall is not working, it should not be passing
packets.
And of
NAT neither provides nor contributes to security.
NAT detracts from security by destroying audit trails and
interrupting/obfuscating
attack source identification, forensics, etc.
Respectfully, I'm really struggling with this. Sentence one is an
opinion. It's all a matter of the designers
- Original Message -
From: Owen DeLong o...@delong.com
In this case, a router with NAT is slightly more likely to fail closed than
a router without NAT.
Slightly? Continuing to assume here, as we have been, that the network
behind a NAT is *unroutable*, then a NAT router has, IME,
Can't believe this is still going on. ;-)
NAT does not provide security; it provides utility. It is useful in
many situations, though.
If you are limited in the amount of public IP space you have, then NAT
is one solution to that.
If you want to have a backup connection to the Internet, but
On Nov 16, 2011, at 9:13 AM, -Hammer- wrote:
NAT neither provides nor contributes to security.
NAT detracts from security by destroying audit trails and
interrupting/obfuscating
attack source identification, forensics, etc.
Respectfully, I'm really struggling with this. Sentence one is
On Wed, Nov 16, 2011 at 3:44 PM, Owen DeLong o...@delong.com wrote:
Actually, the first rule of security in many texts I have read is Security
through obscurity
is no security.
Relevant:
http://penny-arcade.com/comic/2003/03/21
:-)
--
Ray Soucy
Epic Communications Specialist
Phone: +1
Well argued Owen. I can see both sides.
-Hammer-
I was a normal American nerd
-Jack Herer
On 11/16/2011 02:44 PM, Owen DeLong wrote:
On Nov 16, 2011, at 9:13 AM, -Hammer- wrote:
NAT neither provides nor contributes to security.
NAT detracts from security by destroying audit trails and
On Nov 16, 2011, at 10:58 AM, Jay Ashworth wrote:
- Original Message -
From: Owen DeLong o...@delong.com
In this case, a router with NAT is slightly more likely to fail closed than
a router without NAT.
Slightly? Continuing to assume here, as we have been, that the network
On Wed, Nov 16, 2011 at 20:38, Ray Soucy r...@maine.edu wrote:
I would go as far as to argue that the false sense of security
provided by NAT is more dangerous than any current threat that NAT
alone would prevent.
Agreed, and I don't think that's going far at all. My opinion is
_both_
On 14 Nov 2011, at 18:52, McCall, Gabriel gabriel.mcc...@thyssenkrupp.com
wrote:
Chuck, you're right that this should not happen- but the reason it should not
happen is because you have a properly functioning stateful firewall, not
because you're using NAT. If your firewall is working
On Tue, 15 Nov 2011 10:57:32 GMT, Leigh Porter said:
Well this is not quite true, is it.. If your firewall is not working and you
have private space internally then you are a lot better off then if you have
public space internally! So if your firewall is not working then having
private
-Original Message-
From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu]
Sent: Tuesday, November 15, 2011 9:17 AM
To: Leigh Porter
Cc: nanog@nanog.org; McCall, Gabriel
Subject: Re: Arguing against using public IP space
And this is totally overlooking the fact that the vast
On Nov 14, 2011, at 11:32 AM, William Herrin wrote:
On Mon, Nov 14, 2011 at 1:50 PM, McCall, Gabriel
gabriel.mcc...@thyssenkrupp.com wrote:
Chuck, you're right that this should not happen- but
the reason it should not happen is because you have
a properly functioning stateful firewall, not
On Tue, Nov 15, 2011 at 9:17 AM, valdis.kletni...@vt.edu wrote:
And this is totally overlooking the fact that the vast majority of *actual*
attacks these days are web-based drive-bys and similar things that most
firewalls are configured to pass through.
Valdis,
A firewall's job is to prevent
Guys,
Everyone is complaining about whether a FW serves its purpose or
not. Take a step back. Security is about layers. Router ACLs to filter
whitenoise. FW ACLs to filter more. L7 (application) FWs to inspect HTTP
payload. Patch management at the OS and Application layer on the server.
On Nov 15, 2011 7:09 AM, -Hammer- bhmc...@gmail.com wrote:
Guys,
Everyone is complaining about whether a FW serves its purpose or not.
Take a step back. Security is about layers. Router ACLs to filter
whitenoise. FW ACLs to filter more. L7 (application) FWs to inspect HTTP
payload. Patch
I see your side Cameron.
-Hammer-
I was a normal American nerd
-Jack Herer
On 11/15/2011 09:20 AM, Cameron Byrne wrote:
On Nov 15, 2011 7:09 AM, -Hammer- bhmc...@gmail.com
mailto:bhmc...@gmail.com wrote:
Guys,
Everyone is complaining about whether a FW serves its purpose or
not.
On Nov 15, 2011, at 2:57 AM, Leigh Porter wrote:
On 14 Nov 2011, at 18:52, McCall, Gabriel gabriel.mcc...@thyssenkrupp.com
wrote:
Chuck, you're right that this should not happen- but the reason it should
not happen is because you have a properly functioning stateful firewall, not
If you put a router where you needed a firewall, then, this is not a =
failure of the firewall, but, a
failure of the network implementor and the address space will not have =
any impact whatsoever
on your lack of security.
And the difference between a router and a firewall is ...?
On Nov 15, 2011, at 7:54 AM, Joe Greco wrote:
If you put a router where you needed a firewall, then, this is not a =
failure of the firewall, but, a
failure of the network implementor and the address space will not have =
any impact whatsoever
on your lack of security.
And the difference
On 15 Nov 2011, at 15:36, Owen DeLong o...@delong.com wrote:
On Nov 15, 2011, at 2:57 AM, Leigh Porter wrote:
On 14 Nov 2011, at 18:52, McCall, Gabriel
gabriel.mcc...@thyssenkrupp.com wrote:
Chuck, you're right that this should not happen- but the reason it should
not happen is
: Tuesday, November 15, 2011 9:17 AM
To: Leigh Porter
Cc: nanog@nanog.org; McCall, Gabriel
Subject: Re: Arguing against using public IP space
And this is totally overlooking the fact that the vast majority of
*actual* attacks these days are web-based drive-bys and similar things
that most
On Mon, Nov 14, 2011 at 7:35 PM, Jeroen van Aart jer...@mompl.net wrote:
William Herrin wrote:
If your machine is addressed with a globally routable IP, a trivial
failure of your security apparatus leaves your machine addressable
from any other host in the entire world which wishes to send it
On Tue, 15 Nov 2011 09:56:38 EST, William Herrin said:
A firewall's job is to prevent the success of ACTIVE attack vectors
against your network. If your firewall successfully restricts
attackers to passive attack vectors (drive-by downloads) and social
engineering vectors then it has done
On Nov 15, 2011, at 7:54 AM, Joe Greco wrote:
If you put a router where you needed a firewall, then, this is not a =
failure of the firewall, but, a
failure of the network implementor and the address space will not have =
any impact whatsoever
on your lack of security.
And the
On Tue, 15 Nov 2011, Joe Greco wrote:
Or perhaps a better argument would be that routers really ought to
default to deny. :-) I'd be fine with that, but I can hear the
screaming already.
er. you've forgotten en; conf t; ip routing to turn off the default no
ip routing (or no ip forwarding
On Tue, Nov 15, 2011 at 5:57 AM, Leigh Porter
leigh.por...@ukbroadband.com wrote:
As somebody else mentioned on this thread, a NAT box with private space on
one side fails closed.
This is a myth; just like NAT provides security is a myth.
It doesn't matter if your firewall performs NAT or
On Tue, 15 Nov 2011 17:16:23 GMT, Leigh Porter said:
Quite right.. I bet all Iran's nuclear facilities have air gaps but they let
people in with laptops and USB sticks.
And that's the point - *most* networks have so many bigger issues that the
whole NAT makes us secure mantra is dangerous
On Tue, 15 Nov 2011, Joe Greco wrote:
Or perhaps a better argument would be that routers really ought to
default to deny. :-) I'd be fine with that, but I can hear the
screaming already.
er. you've forgotten en; conf t; ip routing to turn off the default no
ip routing (or no ip
On 11/15/11 09:15, William Herrin wrote:
On Mon, Nov 14, 2011 at 7:35 PM, Jeroen van Aartjer...@mompl.net wrote:
William Herrin wrote:
If your machine is addressed with a globally routable IP, a trivial
failure of your security apparatus leaves your machine addressable
from any other host in
On 11/13/11 07:36, Jason Lewis wrote:
I don't want to start a flame war, but this article seems flawed to
me. It seems an IP is an IP.
http://www.redtigersecurity.com/security-briefings/2011/9/16/scada-vendors-use-public-routable-ip-addresses-by-default.html
I think I could announce private
On Nov 15, 2011, at 9:15 AM, William Herrin wrote:
On Mon, Nov 14, 2011 at 7:35 PM, Jeroen van Aart jer...@mompl.net wrote:
William Herrin wrote:
If your machine is addressed with a globally routable IP, a trivial
failure of your security apparatus leaves your machine addressable
from any
On Nov 15, 2011, at 9:14 AM, Leigh Porter wrote:
On 15 Nov 2011, at 15:36, Owen DeLong o...@delong.com wrote:
On Nov 15, 2011, at 2:57 AM, Leigh Porter wrote:
On 14 Nov 2011, at 18:52, McCall, Gabriel
gabriel.mcc...@thyssenkrupp.com wrote:
Chuck, you're right that this should
- Original Message -
From: Valdis Kletnieks valdis.kletni...@vt.edu
And this is totally overlooking the fact that the vast majority of *actual*
attacks these days are web-based drive-bys and similar things that most
firewalls are configured to pass through. Think about it - if a
- Original Message -
From: Owen DeLong o...@delong.com
If your firewall is not working, it should not be passing packets.
Yes; your arguments all seem to depend on that property being true.
But we call it a *failure* for a reason, Owen.
What the probability is of a firewall failing
- Original Message -
From: Joe Greco jgr...@ns.sol.net
And some products, say like FreeBSD (which forms the heart of things
like pfSense, so let's not even begin to argue that it isn't a
firewall) can actually be configured to default either way.
By Owen's definition, it's not.
So
- Original Message -
From: Owen DeLong o...@delong.com
If your firewall is not working, it should not be passing packets.
And of course, things always fail just the way we want them to.
Your stateful firewall is no more likely to fail open than your
header-mutilating device.
Sent from my iPad
On Nov 15, 2011, at 4:10 PM, Jay Ashworth j...@baylink.com wrote:
- Original Message -
From: Owen DeLong o...@delong.com
If your firewall is not working, it should not be passing packets.
Yes; your arguments all seem to depend on that property being true.
- Original Message -
From: Joe Greco jgr...@ns.sol.net
And some products, say like FreeBSD (which forms the heart of things
like pfSense, so let's not even begin to argue that it isn't a
firewall) can actually be configured to default either way.
By Owen's definition, it's
In message 29838609.2919.1321392184239.javamail.r...@benjamin.baylink.com, Ja
y Ashworth writes:
If your firewall is not working, it should not be passing packets.
And of course, things always fail just the way we want them to.
Your stateful firewall is no more likely to fail open
On Wed, 2011-11-16 at 12:20 +1100, Mark Andrews wrote:
You are making assumptions about how the NAT is designed.
[...]
Unless you know the internals of a NAT you cannot say whether it
fails open or closed.
Indeed not!
From 2010, during an identical discussion:
On Tue, Nov 15, 2011 at 8:20 PM, Mark Andrews ma...@isc.org wrote:
Given that most NATs only use a small set of address on the inside
it is actually feasible to probe through a NAT using LSR.
Most attacks don't do this as there are lots of lower hanging fruit
Mark,
My car can be slim-jimmed.
In message cap-gugxxm_dci6qrzr2aqmfonkh0afs2xdvvy-h-mpdxcrr...@mail.gmail.com
, William Herrin writes:
On Tue, Nov 15, 2011 at 8:20 PM, Mark Andrews ma...@isc.org wrote:
Given that most NATs only use a small set of address on the inside
it is actually feasible to probe through a NAT using
- Original Message -
From: Mark Andrews ma...@isc.org
In message
29838609.2919.1321392184239.javamail.r...@benjamin.baylink.com, Ja
y Ashworth writes:
If your firewall is not working, it should not be passing
packets.
And of course, things always fail just the way we
In message 28327223.2951.1321412909463.javamail.r...@benjamin.baylink.com, Ja
y Ashworth writes:
- Original Message -
From: Mark Andrews ma...@isc.org
In message
29838609.2919.1321392184239.javamail.r...@benjamin.baylink.com, Ja
y Ashworth writes:
If your firewall is not
On 11/14/11 10:24 , Joe Greco wrote:
Sure, anytime there's an attack or failure on a SCADA network that
wouldn't have occurred had it been air-gapped, it's easy for people to
knee-jerk a SCADA networks should be airgapped response. But that's
not really intelligent commentary unless you
As far as I can see Red Tiger Security is Jonathan Pollet; and even
though they list Houston, Dubai, Milan, and Sydney as offices it looks
like Houston is the only one. Is that right? Seems a little
misleading.
It actually reminds me of a 16 year old kid I know who runs a web
hosting company
On Nov 14, 2011, at 9:24 AM, Joe Greco wrote:
Getting fixated on air-gapping is unrealistically ignoring the other thre=
ats out there.
I don't think anyone in this thread is 'fixated' on the idea of airgapping;=
No, but it's clear that there are many designers out there who feel this
is
not mean that those functions are inseparable.
-Original message-
From: Chuck Church chuckchu...@gmail.com
To: apos;Phil Regnauldapos; regna...@nsrc.org
Cc: nanog@nanog.org nanog@nanog.org
Sent: Sun, Nov 13, 2011 23:53:19 GMT+00:00
Subject: RE: Arguing against using public IP space
On Mon, Nov 14, 2011 at 1:50 PM, McCall, Gabriel
gabriel.mcc...@thyssenkrupp.com wrote:
Chuck, you're right that this should not happen- but
the reason it should not happen is because you have
a properly functioning stateful firewall, not because
you're using NAT. If your firewall is working
William Herrin wrote:
If your machine is addressed with a globally routable IP, a trivial
failure of your security apparatus leaves your machine addressable
from any other host in the entire world which wishes to send it
Isn't that the case with IPv6? That the IP is addressable from any host
On Sun, 13 Nov 2011 10:36:43 -0500, Jason Lewis jle...@packetnexus.com wrote;
I don't want to start a flame war, but this article seems flawed to
me.
Any article that claims a /12 is a 'class B', and a /16 is a 'Class C', is
DEFINITELY 'flawed'.
It seems an IP is an IP.
True.
On Nov 13, 2011, at 10:36 PM, Jason Lewis wrote:
I don't want to start a flame war, but this article seems flawed to me.
The real issue is interconnecting SCADA systems to publicly-routed networks,
not the choice of potentially routable space vs. RFC1918 space for SCADA
networks, per se.
On 14/11/2011, Jason Lewis jle...@packetnexus.com wrote:
I don't want to start a flame war,
If you didn't write it I wouldn't stress about that.
but this article seems flawed to
me.
Me too.
It seems an IP is an IP.
Yes but in IPv4 land there is a difference although probably not in
the
On Sun, Nov 13, 2011 at 10:38 AM, Robert Bonomi
bon...@mail.r-bonomi.com wrote:
On Sun, 13 Nov 2011 10:36:43 -0500, Jason Lewis jle...@packetnexus.com
wrote;
In addition, virtually _every_ ASN operator has ingress filters on their
border routers to block almost all traffic to RFC-1918
I was involved in a security review of a SCADA system a couple of years ago.
Their guy was very impressed with himself and his Internet air-gap but
managed to leave all their ops consoles on both the SCADA network and their
internal corp LAN.
Their corp LAN was a mess with holes through their
On Sun, Nov 13, 2011 at 11:38 AM, Robert Bonomi
bon...@mail.r-bonomi.com wrote:
On Sun, 13 Nov 2011 10:36:43 -0500, Jason Lewis jle...@packetnexus.com
wrote;
http://www.redtigersecurity.com/security-briefings/2011/9/16/scada-vendors-use-public-routable-ip-addresses-by-default.html
Any
On 11/13/2011 13:27, Phil Regnauld wrote:
That's not exactly correct. NAT doesn't imply firewalling/filtering.
To illustrate this to customers, I've mounted attacks/scans on
hosts behind NAT devices, from the interconnect network immediately
outside: if you can point a
On Sun, Nov 13, 2011 at 12:13 PM, William Herrin b...@herrin.us wrote:
On Sun, Nov 13, 2011 at 11:38 AM, Robert Bonomi
bon...@mail.r-bonomi.com wrote:
On Sun, 13 Nov 2011 10:36:43 -0500, Jason Lewis jle...@packetnexus.com
wrote;
' that allow ftp to work passively to blame?
Chuck
-Original Message-
From: Doug Barton [mailto:do...@dougbarton.us]
Sent: Sunday, November 13, 2011 4:49 PM
To: Phil Regnauld
Cc: nanog@nanog.org
Subject: Re: Arguing against using public IP space
On 11/13/2011 13:27, Phil Regnauld wrote
Doug Barton (dougb) writes:
On 11/13/2011 13:27, Phil Regnauld wrote:
That's not exactly correct. NAT doesn't imply firewalling/filtering.
To illustrate this to customers, I've mounted attacks/scans on
hosts behind NAT devices, from the interconnect network immediately
Chuck Church (chuckchurch) writes:
When you all say NAT, are you implying PAT as well? 1 to 1 NAT really
provides no security. But with PAT, different story. Are there poor
implementations of PAT that don't enforce an exact port/address match for
the translation table? If the translation
Google for NAT is not a security feature and review all the discussions and
unnecessary panic over a lack of NAT support in IPv6. If your SCADA network can
reach the public internet then your security is only as good as your firewall,
whether you NAT or not. If your SCADA network is completely
- Original Message -
From: Roland Dobbins rdobb...@arbor.net
The real issue is interconnecting SCADA systems to publicly-routed
networks, not the choice of potentially routable space vs. RFC1918
space for SCADA networks, per se. If I've an RFC1918-addressed SCADA
network which is
Original Message -
From: Doug Barton do...@dougbarton.us
On 11/13/2011 13:27, Phil Regnauld wrote:
That's not exactly correct. NAT doesn't imply
firewalling/filtering.
To illustrate this to customers, I've mounted attacks/scans on
hosts behind NAT devices, from
On 11/13/11 7:36 AM, Jason Lewis wrote:
I don't want to start a flame war, but this article seems flawed to
me. It seems an IP is an IP.
http://www.redtigersecurity.com/security-briefings/2011/9/16/scada-vendors-use-public-routable-ip-addresses-by-default.html
I think I could announce private
-Original Message-
From: Phil Regnauld [mailto:regna...@nsrc.org]
PAT (overload) will have ports open listening for return traffic,
on the external IP that's being overloaded.
What happens if you initiate traffic directed at the RFC1918
network itself, and send that to
I think I could announce private IP space, so doesn't that make this
argument invalid?
You could announce it. I wouldn't expect anyone else to listen to those
announcements other than for the purpose of ridiculing you.
People keep pointing to this as unlikely. I argue that spammers are
From nanog-bounces+bonomi=mail.r-bonomi@nanog.org Sun Nov 13 14:15:38
2011
From: William Herrin b...@herrin.us
Date: Sun, 13 Nov 2011 15:13:37 -0500
Subject: Re: Arguing against using public IP space
To: nanog@nanog.org
On Sun, Nov 13, 2011 at 11:38 AM, Robert Bonomi
bon...@mail.r
- Original Message -
From: Robert Bonomi bon...@mail.r-bonomi.com
In the 'classful' world, neither the /12 or the /16 spaces were referencible
as a single object. Correct 'classful descriptions' would have been:
16 contiguous Class 'B's 256 contiguous Class 'C's
Fine. But I think
On Nov 14, 2011, at 6:29 AM, Jay Ashworth wrote:
SCADA networks should be hard air-gapped from any other network.
Concur, GMTA. My point is that without an airgap, the attacker can jump from a
production network to the SCADA network, so we're in violent agreement.
;
On Sun, Nov 13, 2011 at 06:29:39PM -0500, Jay Ashworth wrote:
SCADA networks should be hard air-gapped from any other network.
In case you're in charge of one, and you didn't hear that, let me say
it again:
*SCADA networks should he hard air-gapped from any other network.*
If you're
- Original Message -
From: Brett Frankenberger rbf+na...@panix.com
What if you air-gap the SCADA network of which you are in
administrative control, and then there's a failure on it, and the
people responsible for troubleshooting it can't do it remotely (because of
the air gap), so
On 11/13/2011 4:27 PM, Phil Regnauld wrote:
That's not exactly correct. NAT doesn't imply firewalling/filtering.
To illustrate this to customers, I've mounted attacks/scans on hosts
behind NAT devices, from the interconnect network immediately outside:
if you can point a route with the ext ip
On 11/13/11 3:58 PM, Jason Lewis wrote:
People keep pointing to this as unlikely. I argue that spammers are
currently doing this all over the world, maybe not as widespread wiith
1918 space. If I can announce 1918 space to an ISP where my target
is...it doesn't matter if everyone else ignores
Sure, anytime there's an attack or failure on a SCADA network that
wouldn't have occurred had it been air-gapped, it's easy for people to
knee-jerk a SCADA networks should be airgapped response. But that's
not really intelligent commentary unless you carefully consider what
risks are
On Sun, 13 Nov 2011 19:14:59 CST, Brett Frankenberger said:
What if you air-gap the SCADA network of which you are in
administrative control, and then there's a failure on it, and the people
responsible for troubleshooting it can't do it remotely (because of the
air gap), so the trouble
On 11/14/11 10:24 , Joe Greco wrote:
Sure, anytime there's an attack or failure on a SCADA network that
wouldn't have occurred had it been air-gapped, it's easy for people to
knee-jerk a SCADA networks should be airgapped response. But that's
not really intelligent commentary unless you
On Sun, Nov 13, 2011 at 3:03 PM, David Walker davidianwal...@gmail.com wrote:
On 14/11/2011, Jimmy Hess mysi...@gmail.com wrote:
A packet addressed to an endpoint that doesn't serve anything or have
a client listening will be ignered (whatever) as a matter of course.
Firewall or no firewall.
On Nov 13, 2011, at 7:36 AM, Jason Lewis wrote:
I don't want to start a flame war, but this article seems flawed to
me. It seems an IP is an IP.
http://www.redtigersecurity.com/security-briefings/2011/9/16/scada-vendors-use-public-routable-ip-addresses-by-default.html
I think I could
On Nov 14, 2011, at 9:24 AM, Joe Greco wrote:
Getting fixated on air-gapping is unrealistically ignoring the other threats
out there.
I don't think anyone in this thread is 'fixated' on the idea of airgapping; but
it's generally a good idea whenever possible, and as restrictive a
83 matches
Mail list logo