On Jun 8, 2011, at 9:20 PM, Mark Andrews wrote:
> It's *never* been a good idea let alone a best idea however it was
> the only solution to a problem in the last millinium and really
> should only be deploy to protect those 20 year old boxes that still
> have that problem.
>
> Way to much of security so called "best practice" isn't and actually
> has deterimental effects that outweigh any benifits.
I'm not sure the best way to fix this as there's all these common
misconceptions about technology out there.
MYTHS:
TCP/53 is only for zone transfers
ICMP is a security risk/ddos avenue
Internal networks must be secured with NAT
A firewall is the only way to secure the perimiter
In fact for IPv6, ICMP is more important vs less. Firewalls frequently harm
and don't block data going out. TCP/53 is needed for EDNS. IPv6 doesn't have
the concept of NAT, or at least not in the same way as people use 1918 space at
home and in IT networks...
I'm not sure the best way to deal with this. There's a lot of netadmins
(perhaps myself included) that operate in a universe where they treat these
items as fact, real and even on an audit-checklist.
When it comes to enabling IPv6 on your NOC or corporate network, how will they
respond? "Wait, they will have a globally routed IP address? How do I NAT
that?"
It does alter the environment of enforcing a security policy. Then again with
all this "cloud" stuff (should that read return to mainframe processing days?),
it may not matter as much since what you're securing will be "in the cloud", a
remote location that has a pre-existing security policy that meets whatever
your standards are (FIPS, FISMA, the auditors, etc..)
- Jared
