Quite right.. I bet all Iran's nuclear facilities have air gaps but they let people in with laptops and USB sticks.
-- Leigh On 15 Nov 2011, at 14:48, "Chuck Church" <chuckchu...@gmail.com> wrote: > -----Original Message----- > From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu] > Sent: Tuesday, November 15, 2011 9:17 AM > To: Leigh Porter > Cc: nanog@nanog.org; McCall, Gabriel > Subject: Re: Arguing against using public IP space > >> And this is totally overlooking the fact that the vast majority of > *actual* attacks these days are web-based drive-bys > and similar things > that most firewalls are configured to pass through. Think about it - if a > NAT'ed firewall provides > any real protection against real attacks, why are > there still so many zombied systems out there? I mean, Windows > > Firewall has been shipping with inbound "default deny" since XP SP2 or so. > How many years ago was that? > > Simple explanation is that most firewall rules are written to trust traffic > initiated by 'inside' (your users), and the return traffic gets trusted as > well. This applies to both Window's own FW, and most hardware based > firewalls. And NAT/PAT devices too. There's nothing more dangerous than a > user with a web browser. Honestly, FWs will keep out attacks initiated from > outside. But for traffic permitted or initiated by the inside, IPS is only > way to go. > > Chuck > > > > ______________________________________________________________________ > This email has been scanned by the MessageLabs Email Security System. > For more information please visit http://www.messagelabs.com/email > ______________________________________________________________________ ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
