On 2/17/24 10:22 AM, Justin Streiner wrote:
Getting back to the recently revised topic of this thread - IPv6 uptake -
what have peoples' experiences been related to crafting sane v6 firewall
rulesets in recent products from the major firewall players (Palo Alto,
Cisco, Fortinet, etc)? On the las
On 2/17/24 2:21 PM, John Levine wrote:
But what happens under the hood at
major mailbox providers is maddeningly opaque so who really knows? It
would be nice if MAAWG published a best practices or something like that
to outline what is actually happening in live deployments.
Unfortunately, spa
Hi,
Appreciate if someone from AS6079 could reach me off-list.
Thanks,
Aaron
It appears that Michael Thomas said:
>I kind of get the impression that once you get to aggregates at the
>domain level like DKIM or SPF, addresses as a reputation vehicle don't
>much figure into decision making.
It definitely does, since there are plenty of IPs that send only
malicious mail, o
On 17/02/2024, 19:27:20, "William Herrin" wrote:
So it does not surprise me that a 1994 book on network security would
not have discussed NAT. They'd have referred to the comparable
contemporary technology, which was "transparent application layer
gateways." Those behaved like what we now call N
On Sat, Feb 17, 2024 at 10:34 AM Michael Thomas wrote:
> I didn't hear about NAT until the
> late 90's, iirc. I've definitely not heard of Gauntlet.
Then there are gaps in your knowledge.
> Funny, I don't recall Bellovin and Cheswick's Firewall book discussing
> NAT.
And mine too, since I hadn'
On 2/17/24 10:19 AM, Owen DeLong via NANOG wrote:
Mike, it’s true that Google used to be a lot less strict on IPv4 email
than IPv6, but they want SPF and /or DKIM on everything now, so it’s
mostly the same. There is less reputation data available for IPv6 and
server reputation is a harder pro
On Sat, Feb 17, 2024 at 10:22 AM Justin Streiner wrote:
> Getting back to the recently revised topic of this thread - IPv6
> uptake - what have peoples' experiences been related to
> crafting sane v6 firewall rulesets in recent products from the
> major firewall players (Palo Alto, Cisco, Fortinet
On 2/17/24 10:26 AM, Owen DeLong via NANOG wrote:
On Feb 16, 2024, at 14:20, Jay R. Ashworth wrote:
- Original Message -
From: "Justin Streiner"
4. Getting people to unlearn the "NAT=Security" mindset that we were forced
to accept in the v4 world.
NAT doesn't "equal" security.
I can’t speak to Cisco as I don’t have recent experience there. Juniper, Linux, Palo Alto, and most others I’ve dealt with in the last 5 years pose no significant difference in writing policy for IPv6 vs. the process for IPv4. OwenOn Feb 17, 2024, at 10:23, Justin Streiner wrote:We went pretty de
> Think of it like this: you have a guard, you have a fence and you have
> barbed wire on top of the fence. Can you secure the place without the
> barbed wire? Of course. Can an intruder defeat the barbed wire? Of
> course. Is it more secure -with- the barbed wire? Obviously.
>
NAT is like the b
Bill, same scenario, but instead of fat fingering an outbound rule, you fat
finger a port map for inbound connections to a different host and get the
destination address wrong.
Still hacked.
NAT doesn’t prevent fat fingers from getting you hacked, it just changes the
nature of the required f
On 2/16/24 6:33 PM, William Herrin wrote:
On Fri, Feb 16, 2024 at 6:10 PM Ryan Hamel wrote:
Depending on where that rule is placed within your ACL, yes that can happen
with *ANY* address family.
Hi Ryan,
Correct. The examples illustrated a difference between a firewall
implementing address
Most firewalls are default deny. Routers are default allow unless you put a
filter on the interface.
NAT adds nothing to security (Bill and I agree to disagree on this), but at
best, it complicates the audit trail.
Owen
> On Feb 16, 2024, at 15:19, Jay R. Ashworth wrote:
>
> - Origina
> On Feb 16, 2024, at 14:20, Jay R. Ashworth wrote:
>
> - Original Message -
>> From: "Justin Streiner"
>
>> 4. Getting people to unlearn the "NAT=Security" mindset that we were forced
>> to accept in the v4 world.
>
> NAT doesn't "equal" security.
>
> But it is certainly a *compo
On Sat, Feb 17, 2024 at 10:03 AM Michael Thomas wrote:
> On 2/16/24 5:37 PM, William Herrin wrote:
> > What is there to address? I already said that NAT's security
> > enhancement comes into play when a -mistake- is made with the network
> > configuration. You want me to say it again? Okay, I've s
We went pretty deep into the weeds on NAT in this thread - far deeper than
I expected ;)
Getting back to the recently revised topic of this thread - IPv6 uptake -
what have peoples' experiences been related to crafting sane v6 firewall
rulesets in recent products from the major firewall players (P
Mike, it’s true that Google used to be a lot less strict on IPv4 email than
IPv6, but they want SPF and /or DKIM on everything now, so it’s mostly the
same. There is less reputation data available for IPv6 and server reputation is
a harder problem in IPv6, but reputation systems are becoming les
On 2/16/24 5:37 PM, William Herrin wrote:
On Fri, Feb 16, 2024 at 5:33 PM Michael Thomas wrote:
So you're not going to address that this is a management plain problem.
Hi Mike,
What is there to address? I already said that NAT's security
enhancement comes into play when a -mistake- is made
For me, LinkedIn renders those links as tracker links only, so I can't tell
what they are until I follow them.
Also (in Crocodile Dundee voice): *That's* not a really long list. :D
https://infosec.exchange/@tychotithonus/111924626712765292
\(disclaimer: my own work on tracking the DNSSEC validat
>
> Any given layer of security can be breached with expense and effort.
> Breaching every layer of security at the same time is more challenging
> than breaching any particular one of them. The use of NAT adds a layer
> of security to the system that is not otherwise there.
>
>
> Think of it like
Really long list of fixed dns servers here:
https://www.linkedin.com/posts/bwoodcock_a-bunch-of-really-hard-work-over-the-past-activity-7163284274660532224-vYKv
--
40 years of net history, a couple songs:
https://www.youtube.com/watch?v=D9RGX6QFm5E
Dave Täht CSO, LibreQos
22 matches
Mail list logo
