IPV6 renumbering painless?

• Previous message (by thread): IPV6 renumbering painless?
• Next message (by thread): IPV6 renumbering painless?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Btw  - using Solaris + no_stack_exec + old ssl - appear to be 100% secure
from all random attacks (it can be broken - in theory, see articles from
'Solar designer' - but it is absolutely inpractical for hacking). I watched
such system (absolutely not patched, with apache and openssl, untouched for
3 years - we kept it as a honeypot - no single exploit). And if you add  IP
filter + non standard port protects your 100% even if your service have
broken library.

As a result - it is safer to run old openssl + filter + solaris, vs running
SuSe linux + automated upgrade + unfiltered openssl. It is wekk known
thing - want best security - do not use anything standard, customize
everything.

So, step 1 - filter;  step 2 -customize; and step 3 - update. Just updates
without first 2 steps are much more dangerous, vs no updates but first 2
steps.

PS. Why is it in IPv6 thread?  And why IP filtering is broken? Even
primitive firewall can do enough p[rotection to make any random packets
useless.

----- Original Message ----- 
From: "Christopher L. Morrow" <christopher.morrow at mci.com>
To: "Iljitsch van Beijnum" <iljitsch at muada.com>
Cc: "Henning Brauer" <hb-nanog at bsws.de>; <nanog at merit.edu>
Sent: Saturday, November 13, 2004 7:09 PM
Subject: Re: IPV6 renumbering painless?


>
> On Sat, 13 Nov 2004, Iljitsch van Beijnum wrote:
> > On 13-nov-04, at 10:02, Henning Brauer wrote:
> >
> > Filtering based on IP addresses is a broken concept.
> >
> > I'm not a huge fan of sprinkling crypto over everything, but if you
> > want certain people to have access to some stuff and not others,
> > IPsec/SSL are the way to go.
>
> there are things putting random packets over the network today, trying to
> exploit services you might be using, or your customers might be using.
> IPSEC everywhere is 'nice' but not horribly practical. SSL is nice, until
> your SSL libraries have remotely exploitable DoS or root
> vulnerabilities... how many times over the last 12 months has openssl been
> upgraded due to 'security' issues?

• Previous message (by thread): IPV6 renumbering painless?
• Next message (by thread): IPV6 renumbering painless?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]