jgreco at ns.sol.net
Mon Mar 24 13:25:42 UTC 2014
> Hi Mike,
> You can either press the big red button and fire the nukes or you
> can't, so what difference how many layers of security are involved
> with the "Football?"
> I say this with the utmost respect, but you must understand the
> principle of defense in depth in order to make competent security
> decisions for your organization. Smart people disagree on the details
> but the principle is not only iron clad, it applies to all forms of
> security, not just IP network security.
The problem here is that what's actually going on is that you're now
enshrining as a "security" device a hacky, ill-conceived workaround
for a lack of flexibility/space/etc in IPv4. NAT was not designed
to act as a security feature.
If you want more layers of security, put a second firewall into your
design. Don't perpetuate horrid IPv4 hacks that were necessary for
specific reasons into IPv6 where those hacks are no longer needed.
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
More information about the NANOG