North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Assigning IPv6 /48's to CPE's?
On Thu, January 3, 2008 3:17 pm, William Herrin wrote: > In my ever so humble opinion, IPv6 will not reach significant > penetration at the customer level until NAT has been thoroughly > implemented. Corporate information security officers will insist. > Here's the thing: a stateful non-NAT firewall is automatically less > secure than a stateful translating firewall. Why? Because a mistake > configuring a NAT firewall breaks the network causing everything to > stop working while a mistake with a firewall that does no translation > causes data to flow unfiltered. Humans being humans, mistakes will be > made. The first failure mode is highly preferable. Only assuming the nature of your mistake is 'turn it off'. I can fat-finger a 'port-forward *all* ports to important internal server', rather than just '80/TCP' pretty much exactly as easily as I can fat-finger 'permit *all* external to important internal server' rather than just '80/TCP'. Which failure mode is more acceptable is going to depend on the business in question too. If 'seconds connected to the Internet' is a direct driver of 'dollars made', spending a length of time exposed (risk of loss) while fixing a config error may well be preferable to spending a length of time disconnected (actual loss). I'll grant the 'everything is disconnected' case is easier to spot, though - especially if you don't have proper change management to test that the change you made is the change you think you made. Regards, Tim.
|