Retraining "IT" on networking myths (the cloud to the rescue!)
jared at puck.nether.net
Wed Jun 8 20:32:20 CDT 2011
On Jun 8, 2011, at 9:20 PM, Mark Andrews wrote:
> It's *never* been a good idea let alone a best idea however it was
> the only solution to a problem in the last millinium and really
> should only be deploy to protect those 20 year old boxes that still
> have that problem.
> Way to much of security so called "best practice" isn't and actually
> has deterimental effects that outweigh any benifits.
I'm not sure the best way to fix this as there's all these common misconceptions about technology out there.
TCP/53 is only for zone transfers
ICMP is a security risk/ddos avenue
Internal networks must be secured with NAT
A firewall is the only way to secure the perimiter
In fact for IPv6, ICMP is more important vs less. Firewalls frequently harm and don't block data going out. TCP/53 is needed for EDNS. IPv6 doesn't have the concept of NAT, or at least not in the same way as people use 1918 space at home and in IT networks...
I'm not sure the best way to deal with this. There's a lot of netadmins (perhaps myself included) that operate in a universe where they treat these items as fact, real and even on an audit-checklist.
When it comes to enabling IPv6 on your NOC or corporate network, how will they respond? "Wait, they will have a globally routed IP address? How do I NAT that?"
It does alter the environment of enforcing a security policy. Then again with all this "cloud" stuff (should that read return to mainframe processing days?), it may not matter as much since what you're securing will be "in the cloud", a remote location that has a pre-existing security policy that meets whatever your standards are (FIPS, FISMA, the auditors, etc..)
More information about the NANOG