Arguing against using public IP space

• Previous message (by thread): Arguing against using public IP space
• Next message (by thread): Arguing against using public IP space
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----Original Message-----
From: Valdis.Kletnieks at vt.edu [mailto:Valdis.Kletnieks at vt.edu] 
Sent: Tuesday, November 15, 2011 9:17 AM
To: Leigh Porter
Cc: nanog at nanog.org; McCall, Gabriel
Subject: Re: Arguing against using public IP space

> And this is totally overlooking the fact that the vast majority of
*actual* attacks these days are web-based drive-bys > and similar things
that most firewalls are configured to pass through.  Think about it - if a
NAT'ed firewall provides > any real protection against real attacks, why are
there still so many zombied systems out there?  I mean, Windows         >
Firewall has been shipping with inbound "default deny" since XP SP2 or so.
How many years ago was that?

Simple explanation is that most firewall rules are written to trust traffic
initiated by 'inside' (your users), and the return traffic gets trusted as
well.  This applies to both Window's own FW, and most hardware based
firewalls.  And NAT/PAT devices too.  There's nothing more dangerous than a
user with a web browser.  Honestly, FWs will keep out attacks initiated from
outside.  But for traffic permitted or initiated by the inside, IPS is only
way to go.  

Chuck  

• Previous message (by thread): Arguing against using public IP space
• Next message (by thread): Arguing against using public IP space
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]