On Mon, 2011-01-03 at 19:44 -0600, Robert Nichols wrote: > On 01/03/2011 06:31 PM, Michael H. Warfield wrote: > > There is a wide spread myth that NAT and the fact that you are on > > different addresses some how bestows upon you some measure of security. > > As a leading security researcher, let me impress upon you that nothing > > could be further from the truth. You can security from the inherent > > statefulness of your common consumer grade NAT but there are other forms > > of NAT which do not convey this. Merely the fact that your addresses > > are mapped do not provide you with any protection. It's the state > > engine and the dynamic mapping that do this. But, SURPRISE, that > > exactly what's in a stateful firewall. There is NO intrinsic advantage > > of NAT over a decent stateful firewall. None. > > > > IPv6 also has a number of security advantages over IPv4, not the least > > of which are "no broadcast address" and "virtually impossible to > > comprehensively brute force scan". That doesn't mean it can't be > > scanned (the scans have to be more targeted and intelligent), > ... > > The problem that I see is that any system to which I have ever made a > connection now has a nice, routable IPv6 address back to the machine > that made the connection and can start probing that machine to see if > any vulnerable services might have been inadvertently left listening > on that interface. No problem if it's a well secured file server, > but it could also be an internet-aware HDTV or video recorder where > I have no control over the internal OS. Sounds like all traffic will > now have to have to be routed through an external IPv6 SPI firewall > appliance. You no doubt have one of those, but I certainly don't, > and I suspect one would cost a bit more than my $35 NAT router, plus > being a bit beyond the administrative abilities of the average home > user. No... Look at your default IPv6 netfilter tables. /etc/sysconfig/ip6tables That's what firewalls are for. That's what a stateful firewall on your system is for. Mike > -- > Bob Nichols "NOSPAM" is really part of my email address. > Do NOT delete it. > > -- > users mailing list > users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe or change subscription options: > https://admin.fedoraproject.org/mailman/listinfo/users > Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines > -- Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@xxxxxxxxxxxx /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
Attachment:
signature.asc
Description: This is a digitally signed message part
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
