Arguing against using public IP space

Leigh Porter leigh.porter at ukbroadband.com
Tue Nov 15 17:16:23 UTC 2011


Quite right.. I bet all Iran's nuclear facilities have air gaps but they let people in with laptops and USB sticks.

-- 
Leigh


On 15 Nov 2011, at 14:48, "Chuck Church" <chuckchurch at gmail.com> wrote:

> -----Original Message-----
> From: Valdis.Kletnieks at vt.edu [mailto:Valdis.Kletnieks at vt.edu] 
> Sent: Tuesday, November 15, 2011 9:17 AM
> To: Leigh Porter
> Cc: nanog at nanog.org; McCall, Gabriel
> Subject: Re: Arguing against using public IP space
> 
>> And this is totally overlooking the fact that the vast majority of
> *actual* attacks these days are web-based drive-bys > and similar things
> that most firewalls are configured to pass through.  Think about it - if a
> NAT'ed firewall provides > any real protection against real attacks, why are
> there still so many zombied systems out there?  I mean, Windows         >
> Firewall has been shipping with inbound "default deny" since XP SP2 or so.
> How many years ago was that?
> 
> Simple explanation is that most firewall rules are written to trust traffic
> initiated by 'inside' (your users), and the return traffic gets trusted as
> well.  This applies to both Window's own FW, and most hardware based
> firewalls.  And NAT/PAT devices too.  There's nothing more dangerous than a
> user with a web browser.  Honestly, FWs will keep out attacks initiated from
> outside.  But for traffic permitted or initiated by the inside, IPS is only
> way to go.  
> 
> Chuck  
> 
> 
> 
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> ______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________




More information about the NANOG mailing list