Retraining "IT" on networking myths (the cloud to the rescue!)

• Previous message (by thread): Retraining "IT" on networking myths (the cloud to the rescue!)
• Next message (by thread): Cogent IPv6
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 06/08/11 18:32, Jared Mauch wrote:

> MYTHS:
>
> TCP/53 is only for zone transfers ICMP is a security risk/ddos
> avenue Internal networks must be secured with NAT A firewall is the
> only way to secure the perimiter
>
> In fact for IPv6, ICMP is more important vs less.  Firewalls
> frequently harm and don't block data going out.  TCP/53 is needed for
> EDNS.

tcp/53 is needed when EDNS is _not_ available and DNS message size 
exceeds 512 bytes.  UDP fragments are (sometimes) necessary for EDNS.

So, that adds to your MYTHS section:

Fragmented packets (like ICMP) are always a security risk and DDoS vector

michael

• Previous message (by thread): Retraining "IT" on networking myths (the cloud to the rescue!)
• Next message (by thread): Cogent IPv6
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]