Arguing against using public IP space
Leigh Porter
leigh.porter at ukbroadband.com
Tue Nov 15 17:16:23 UTC 2011
Quite right.. I bet all Iran's nuclear facilities have air gaps but they let people in with laptops and USB sticks.
--
Leigh
On 15 Nov 2011, at 14:48, "Chuck Church" <chuckchurch at gmail.com> wrote:
> -----Original Message-----
> From: Valdis.Kletnieks at vt.edu [mailto:Valdis.Kletnieks at vt.edu]
> Sent: Tuesday, November 15, 2011 9:17 AM
> To: Leigh Porter
> Cc: nanog at nanog.org; McCall, Gabriel
> Subject: Re: Arguing against using public IP space
>
>> And this is totally overlooking the fact that the vast majority of
> *actual* attacks these days are web-based drive-bys > and similar things
> that most firewalls are configured to pass through. Think about it - if a
> NAT'ed firewall provides > any real protection against real attacks, why are
> there still so many zombied systems out there? I mean, Windows >
> Firewall has been shipping with inbound "default deny" since XP SP2 or so.
> How many years ago was that?
>
> Simple explanation is that most firewall rules are written to trust traffic
> initiated by 'inside' (your users), and the return traffic gets trusted as
> well. This applies to both Window's own FW, and most hardware based
> firewalls. And NAT/PAT devices too. There's nothing more dangerous than a
> user with a web browser. Honestly, FWs will keep out attacks initiated from
> outside. But for traffic permitted or initiated by the inside, IPS is only
> way to go.
>
> Chuck
>
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
More information about the NANOG
mailing list