Re: Arguing against using public IP space

On Wed, Nov 16, 2011 at 20:38, Ray Soucy wrote: > I would go as far as to argue that the false sense of security > provided by NAT is more dangerous than any current threat that NAT > alone would prevent. Agreed, and I don't think that's going far at all. My opinion is _both_ stateful firewalls

Re: Arguing against using public IP space

On Nov 16, 2011, at 10:58 AM, Jay Ashworth wrote: > - Original Message - >> From: "Owen DeLong" > >> In this case, a router with NAT is slightly more likely to fail closed than >> a router without NAT. > > "Slightly"? Continuing to assume here, as we have been, that the network > behi

Re: Arguing against using public IP space

Well argued Owen. I can see both sides. -Hammer- "I was a normal American nerd" -Jack Herer On 11/16/2011 02:44 PM, Owen DeLong wrote: On Nov 16, 2011, at 9:13 AM, -Hammer- wrote: "NAT neither provides nor contributes to security. NAT detracts from security by destroying audit trails a

Re: Arguing against using public IP space

On Wed, Nov 16, 2011 at 3:44 PM, Owen DeLong wrote: > Actually, the first rule of security in many texts I have read is "Security > through obscurity > is no security." Relevant: http://penny-arcade.com/comic/2003/03/21 :-) -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-35

Re: Arguing against using public IP space

On Nov 16, 2011, at 9:13 AM, -Hammer- wrote: > "NAT neither provides nor contributes to security. > NAT detracts from security by destroying audit trails and > interrupting/obfuscating > attack source identification, forensics, etc." > > Respectfully, I'm really struggling with this. Sentence o

Re: Arguing against using public IP space

Can't believe this is still going on. ;-) NAT does not provide security; it provides utility. It is useful in many situations, though. If you are limited in the amount of public IP space you have, then NAT is one solution to that. If you want to have a backup connection to the Internet, but don

Re: Arguing against using public IP space

- Original Message - > From: "Owen DeLong" > In this case, a router with NAT is slightly more likely to fail closed than > a router without NAT. "Slightly"? Continuing to assume here, as we have been, that the network behind a NAT is *unroutable*, then a NAT router has, IME, *many* more

Re: Arguing against using public IP space

"NAT neither provides nor contributes to security. NAT detracts from security by destroying audit trails and interrupting/obfuscating attack source identification, forensics, etc." Respectfully, I'm really struggling with this. Sentence one is an opinion. It's all a matter of the designers vie

Re: Arguing against using public IP space

On Nov 15, 2011, at 7:08 PM, Jay Ashworth wrote: > - Original Message - >> From: "Mark Andrews" > >> In message >> <29838609.2919.1321392184239.javamail.r...@benjamin.baylink.com>, Ja >> y Ashworth writes: >> If your firewall is not working, it should not be passing >> packets.

Re: Arguing against using public IP space

On Nov 15, 2011, at 6:07 PM, Karl Auer wrote: > On Wed, 2011-11-16 at 12:20 +1100, Mark Andrews wrote: >> You are making assumptions about how the NAT is designed. >> [...] >> Unless you know the internals of a NAT you cannot say whether it >> fails open or closed. > > Indeed not! > > From 2010

Re: Arguing against using public IP space

Not sure if anyone has thought of it like this, but: Air Gap is still only as secure as the people with access to it. NAT and firewalls provide a compromise between security and connectivity. But remember that at a power plant, the PBX system still connects to the outside world, and there is a

Re: Arguing against using public IP space

In message <28327223.2951.1321412909463.javamail.r...@benjamin.baylink.com>, Ja y Ashworth writes: > - Original Message - > > From: "Mark Andrews" > > > In message > > <29838609.2919.1321392184239.javamail.r...@benjamin.baylink.com>, Ja > > y Ashworth writes: > > > > >> If your firewall

Re: Arguing against using public IP space

- Original Message - > From: "Mark Andrews" > In message > <29838609.2919.1321392184239.javamail.r...@benjamin.baylink.com>, Ja > y Ashworth writes: > > > >> If your firewall is not working, it should not be passing > > > >> packets. > > > > > > > > And of course, things always fail just

Re: Arguing against using public IP space

In message , William Herrin writes: > On Tue, Nov 15, 2011 at 8:20 PM, Mark Andrews wrote: > > Given that most NATs only use a small set of address on the inside > > it is actually feasible to probe through a NAT using LSR. > > Most attacks don't do this as there are lots of lower hanging fruit

Re: Arguing against using public IP space

On Tue, Nov 15, 2011 at 8:20 PM, Mark Andrews wrote: > Given that most NATs only use a small set of address on the inside > it is actually feasible to probe through a NAT using LSR. > Most attacks don't do this as there are lots of lower hanging fruit Mark, My car can be slim-jimmed. Yet the loc

Re: Arguing against using public IP space

On Wed, 2011-11-16 at 12:20 +1100, Mark Andrews wrote: > You are making assumptions about how the NAT is designed. > [...] > Unless you know the internals of a NAT you cannot say whether it > fails open or closed. Indeed not! From 2010, during an identical discussion: http://seclists.org/nano

Re: Arguing against using public IP space

In message <29838609.2919.1321392184239.javamail.r...@benjamin.baylink.com>, Ja y Ashworth writes: > > >> If your firewall is not working, it should not be passing packets. > > > > > > And of course, things always fail just the way we want them to. > > > > Your stateful firewall is no more likely

Re: Arguing against using public IP space

> - Original Message - > > From: "Joe Greco" > > > And some products, say like FreeBSD (which forms the heart of things > > like pfSense, so let's not even begin to argue that it "isn't a > > firewall") can actually be configured to default either way. > > By Owen's definition, it's not.

Re: Arguing against using public IP space

Sent from my iPad On Nov 15, 2011, at 4:10 PM, Jay Ashworth wrote: > - Original Message - >> From: "Owen DeLong" > >> If your firewall is not working, it should not be passing packets. > > Yes; your arguments all seem to depend on that property being true. > > But we call it a *fai

Re: Arguing against using public IP space

- Original Message - > From: "Owen DeLong" > >> If your firewall is not working, it should not be passing packets. > > > > And of course, things always fail just the way we want them to. > > Your stateful firewall is no more likely to fail open than your > header-mutilating device. Ple

Re: Arguing against using public IP space

- Original Message - > From: "Joe Greco" > And some products, say like FreeBSD (which forms the heart of things > like pfSense, so let's not even begin to argue that it "isn't a > firewall") can actually be configured to default either way. By Owen's definition, it's not. > So basically

Re: Arguing against using public IP space

- Original Message - > From: "Owen DeLong" > If your firewall is not working, it should not be passing packets. Yes; your arguments all seem to depend on that property being true. But we call it a *failure* for a reason, Owen. What the probability is of a firewall failing in such a f

Re: Arguing against using public IP space

- Original Message - > From: "Valdis Kletnieks" > And this is totally overlooking the fact that the vast majority of *actual* > attacks these days are web-based drive-bys and similar things that most > firewalls are configured to pass through. Think about it - if a NAT'ed > firewall provi

Re: Arguing against using public IP space

On Nov 15, 2011, at 9:14 AM, Leigh Porter wrote: > > On 15 Nov 2011, at 15:36, "Owen DeLong" wrote: > >> >> On Nov 15, 2011, at 2:57 AM, Leigh Porter wrote: >> >>> >>> >>> On 14 Nov 2011, at 18:52, "McCall, Gabriel" >>> wrote: >>> Chuck, you're right that this should not happen- bu

Re: Arguing against using public IP space

On Nov 15, 2011, at 9:15 AM, William Herrin wrote: > On Mon, Nov 14, 2011 at 7:35 PM, Jeroen van Aart wrote: >> William Herrin wrote: >>> If your machine is addressed with a globally routable IP, a trivial >>> failure of your security apparatus leaves your machine addressable >>> from any other

Re: Arguing against using public IP space

On 11/13/11 07:36, Jason Lewis wrote: I don't want to start a flame war, but this article seems flawed to me. It seems an IP is an IP. http://www.redtigersecurity.com/security-briefings/2011/9/16/scada-vendors-use-public-routable-ip-addresses-by-default.html I think I could announce private IP

Re: Arguing against using public IP space

On 11/15/11 09:15, William Herrin wrote: On Mon, Nov 14, 2011 at 7:35 PM, Jeroen van Aart wrote: William Herrin wrote: If your machine is addressed with a globally routable IP, a trivial failure of your security apparatus leaves your machine addressable from any other host in the entire world

Re: Arguing against using public IP space

> On Tue, 15 Nov 2011, Joe Greco wrote: > > Or perhaps a better argument would be that routers really ought to > > default to deny. :-) I'd be fine with that, but I can hear the > > screaming already. > > er. you've forgotten "en; conf t; ip routing" to turn off the default "no > ip routing" (

Re: Arguing against using public IP space

On Tue, 15 Nov 2011 17:16:23 GMT, Leigh Porter said: > Quite right.. I bet all Iran's nuclear facilities have air gaps but they let > people in with laptops and USB sticks. And that's the point - *most* networks have so many bigger issues that the whole "NAT makes us secure" mantra is dangerous se

Re: Arguing against using public IP space

On Tue, Nov 15, 2011 at 5:57 AM, Leigh Porter wrote: > As somebody else mentioned on this thread, a NAT box with private space on > one side fails closed. This is a myth; just like NAT provides security is a myth. It doesn't matter if your firewall performs NAT or not; if it fails, traffic will

Re: Arguing against using public IP space

On Tue, 15 Nov 2011, Joe Greco wrote: Or perhaps a better argument would be that routers really ought to default to deny. :-) I'd be fine with that, but I can hear the screaming already. er. you've forgotten "en; conf t; ip routing" to turn off the default "no ip routing" (or "no ip forwar

Re: Arguing against using public IP space

> On Nov 15, 2011, at 7:54 AM, Joe Greco wrote: > >> If you put a router where you needed a firewall, then, this is not a = > >> failure of the firewall, but, a > >> failure of the network implementor and the address space will not have = > >> any impact whatsoever > >> on your lack of security. >

Re: Arguing against using public IP space

On Tue, 15 Nov 2011 09:56:38 EST, William Herrin said: > A firewall's job is to prevent the success of ACTIVE attack vectors > against your network. If your firewall successfully restricts > attackers to passive attack vectors (drive-by downloads) and social > engineering vectors then it has done

Re: Arguing against using public IP space

On Mon, Nov 14, 2011 at 7:35 PM, Jeroen van Aart wrote: > William Herrin wrote: >> If your machine is addressed with a globally routable IP, a trivial >> failure of your security apparatus leaves your machine addressable >> from any other host in the entire world which wishes to send it > > Isn't

Re: Arguing against using public IP space

edu] > Sent: Tuesday, November 15, 2011 9:17 AM > To: Leigh Porter > Cc: nanog@nanog.org; McCall, Gabriel > Subject: Re: Arguing against using public IP space > >> And this is totally overlooking the fact that the vast majority of > *actual* attacks these days are web-based drive-b

Re: Arguing against using public IP space

On 15 Nov 2011, at 15:36, "Owen DeLong" wrote: > > On Nov 15, 2011, at 2:57 AM, Leigh Porter wrote: > >> >> >> On 14 Nov 2011, at 18:52, "McCall, Gabriel" >> wrote: >> >>> Chuck, you're right that this should not happen- but the reason it should >>> not happen is because you have a prope

Re: Arguing against using public IP space

On Nov 15, 2011, at 7:54 AM, Joe Greco wrote: >> If you put a router where you needed a firewall, then, this is not a = >> failure of the firewall, but, a >> failure of the network implementor and the address space will not have = >> any impact whatsoever >> on your lack of security. > > And the

Re: Arguing against using public IP space

> If you put a router where you needed a firewall, then, this is not a = > failure of the firewall, but, a > failure of the network implementor and the address space will not have = > any impact whatsoever > on your lack of security. And the difference between a router and a firewall is ...? Appa

Re: Arguing against using public IP space

On Nov 15, 2011, at 2:57 AM, Leigh Porter wrote: > > > On 14 Nov 2011, at 18:52, "McCall, Gabriel" > wrote: > >> Chuck, you're right that this should not happen- but the reason it should >> not happen is because you have a properly functioning stateful firewall, not >> because you're using

Re: Arguing against using public IP space

I see your side Cameron. -Hammer- "I was a normal American nerd" -Jack Herer On 11/15/2011 09:20 AM, Cameron Byrne wrote: On Nov 15, 2011 7:09 AM, "-Hammer-" > wrote: > > Guys, >Everyone is complaining about whether a FW serves its purpose or not. Take a ste

Re: Arguing against using public IP space

On Nov 15, 2011 7:09 AM, "-Hammer-" wrote: > > Guys, >Everyone is complaining about whether a FW serves its purpose or not. Take a step back. Security is about layers. Router ACLs to filter whitenoise. FW ACLs to filter more. L7 (application) FWs to inspect HTTP payload. Patch management at th

Re: Arguing against using public IP space

Guys, Everyone is complaining about whether a FW serves its purpose or not. Take a step back. Security is about layers. Router ACLs to filter whitenoise. FW ACLs to filter more. L7 (application) FWs to inspect HTTP payload. Patch management at the OS and Application layer on the server. He

Re: Arguing against using public IP space

On Tue, Nov 15, 2011 at 9:17 AM, wrote: > And this is totally overlooking the fact that the vast majority of *actual* > attacks these days are web-based drive-bys and similar things that most > firewalls are configured to pass through. Valdis, A firewall's job is to prevent the success of ACTIV

Re: Arguing against using public IP space

On Nov 14, 2011, at 11:32 AM, William Herrin wrote: > On Mon, Nov 14, 2011 at 1:50 PM, McCall, Gabriel > wrote: >> Chuck, you're right that this should not happen- but >> the reason it should not happen is because you have >> a properly functioning stateful firewall, not because >> you're using

RE: Arguing against using public IP space

-Original Message- From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu] Sent: Tuesday, November 15, 2011 9:17 AM To: Leigh Porter Cc: nanog@nanog.org; McCall, Gabriel Subject: Re: Arguing against using public IP space > And this is totally overlooking the fact that the v

Re: Arguing against using public IP space

On Tue, 15 Nov 2011 10:57:32 GMT, Leigh Porter said: > Well this is not quite true, is it.. If your firewall is not working and you > have private space internally then you are a lot better off then if you have > public space internally! So if your firewall is not working then having > private >

Re: Arguing against using public IP space

On 14 Nov 2011, at 18:52, "McCall, Gabriel" wrote: > Chuck, you're right that this should not happen- but the reason it should not > happen is because you have a properly functioning stateful firewall, not > because you're using NAT. If your firewall is working properly, then having > publi

Re: Arguing against using public IP space

William Herrin wrote: If your machine is addressed with a globally routable IP, a trivial failure of your security apparatus leaves your machine addressable from any other host in the entire world which wishes to send it Isn't that the case with IPv6? That the IP is addressable from any host i

Re: Arguing against using public IP space

On Mon, Nov 14, 2011 at 1:50 PM, McCall, Gabriel wrote: > Chuck, you're right that this should not happen- but > the reason it should not happen is because you have > a properly functioning stateful firewall, not because > you're using NAT. If your firewall is working properly, > then having publi

RE: Arguing against using public IP space

irewalling does not mean that those functions are inseparable. -Original message- From: Chuck Church To: 'Phil Regnauld' Cc: "nanog@nanog.org" Sent: Sun, Nov 13, 2011 23:53:19 GMT+00:00 Subject: RE: Arguing against using public IP space -Original Messag

Re: Arguing against using public IP space

> On Nov 14, 2011, at 9:24 AM, Joe Greco wrote: > > Getting fixated on air-gapping is unrealistically ignoring the other thre= > ats out there. > > I don't think anyone in this thread is 'fixated' on the idea of airgapping;= No, but it's clear that there are many designers out there who feel this

Re: Arguing against using public IP space

As far as I can see Red Tiger Security is Jonathan Pollet; and even though they list Houston, Dubai, Milan, and Sydney as offices it looks like Houston is the only one.  Is that right?  Seems a little misleading. It actually reminds me of a 16 year old kid I know who runs a web hosting "company" t

Re: Arguing against using public IP space

> On 11/14/11 10:24 , Joe Greco wrote: > >> Sure, anytime there's an attack or failure on a SCADA network that > >> wouldn't have occurred had it been air-gapped, it's easy for people to > >> knee-jerk a "SCADA networks should be airgapped" response. But that's > >> not really intelligent commenta

Re: Arguing against using public IP space

On Nov 14, 2011, at 9:24 AM, Joe Greco wrote: > Getting fixated on air-gapping is unrealistically ignoring the other threats > out there. I don't think anyone in this thread is 'fixated' on the idea of airgapping; but it's generally a good idea whenever possible, and as restrictive a communica

Re: Arguing against using public IP space

On Nov 13, 2011, at 7:36 AM, Jason Lewis wrote: > I don't want to start a flame war, but this article seems flawed to > me. It seems an IP is an IP. > > http://www.redtigersecurity.com/security-briefings/2011/9/16/scada-vendors-use-public-routable-ip-addresses-by-default.html > > I think I cou

Re: Arguing against using public IP space

On Sun, Nov 13, 2011 at 3:03 PM, David Walker wrote: > On 14/11/2011, Jimmy Hess wrote: > A packet addressed to an endpoint that doesn't serve anything or have > a client listening will be ignered (whatever) as a matter of course. > Firewall or no firewall. It will not go to a listening applicati

Re: Arguing against using public IP space

On 11/14/11 10:24 , Joe Greco wrote: >> Sure, anytime there's an attack or failure on a SCADA network that >> wouldn't have occurred had it been air-gapped, it's easy for people to >> knee-jerk a "SCADA networks should be airgapped" response. But that's >> not really intelligent commentary unless

Re: Arguing against using public IP space

On Sun, 13 Nov 2011 19:14:59 CST, Brett Frankenberger said: > What if you air-gap the SCADA network of which you are in > administrative control, and then there's a failure on it, and the people > responsible for troubleshooting it can't do it remotely (because of the > air gap), so the trouble co

Re: Arguing against using public IP space

> Sure, anytime there's an attack or failure on a SCADA network that > wouldn't have occurred had it been air-gapped, it's easy for people to > knee-jerk a "SCADA networks should be airgapped" response. But that's > not really intelligent commentary unless you carefully consider what > risks are a

Re: Arguing against using public IP space

On 11/13/11 3:58 PM, Jason Lewis wrote: People keep pointing to this as unlikely. I argue that spammers are currently doing this all over the world, maybe not as widespread wiith 1918 space. If I can announce 1918 space to an ISP where my target is...it doesn't matter if everyone else ignores

Re: Arguing against using public IP space

On 11/13/2011 4:27 PM, Phil Regnauld wrote: That's not exactly correct. NAT doesn't imply firewalling/filtering. To illustrate this to customers, I've mounted attacks/scans on hosts behind NAT devices, from the interconnect network immediately outside: if you can point a route with the ext ip o

Re: Arguing against using public IP space

- Original Message - > From: "Brett Frankenberger" > What if you air-gap the SCADA network of which you are in > administrative control, and then there's a failure on it, and the > people responsible for troubleshooting it can't do it remotely (because of > the air gap), so the trouble co

Re: Arguing against using public IP space

On Sun, Nov 13, 2011 at 06:29:39PM -0500, Jay Ashworth wrote: > > SCADA networks should be hard air-gapped from any other network. > > In case you're in charge of one, and you didn't hear that, let me say > it again: > > *SCADA networks should he hard air-gapped from any other network.* > > If

Re: Arguing against using public IP space

On Nov 14, 2011, at 6:29 AM, Jay Ashworth wrote: > SCADA networks should be hard air-gapped from any other network. Concur, GMTA. My point is that without an airgap, the attacker can jump from a production network to the SCADA network, so we're in violent agreement. ;> --

Re: Arguing against using public IP space

- Original Message - > From: "Robert Bonomi" > In the 'classful' world, neither the /12 or the /16 spaces were referencible > as a single object. Correct 'classful descriptions' would have been: > "16 contiguous Class 'B's" "256 contiguous Class 'C's" Fine. But I think you're going to f

Re: Arguing against using public IP space

> From nanog-bounces+bonomi=mail.r-bonomi@nanog.org Sun Nov 13 14:15:38 > 2011 > From: William Herrin > Date: Sun, 13 Nov 2011 15:13:37 -0500 > Subject: Re: Arguing against using public IP space > To: nanog@nanog.org > > On Sun, Nov 13, 2011 at 11:38 AM, Robert Bon

Re: Arguing against using public IP space

>> I think I could announce private IP space, so doesn't that make this >> argument invalid? > > You could announce it.  I wouldn't expect anyone else to listen to those > announcements other than for the purpose of ridiculing you. > People keep pointing to this as unlikely. I argue that spammers

RE: Arguing against using public IP space

-Original Message- From: Phil Regnauld [mailto:regna...@nsrc.org] >PAT (overload) will have ports open listening for return traffic, >on the external IP that's being "overloaded". >What happens if you initiate traffic directed at the RFC1918 >network itself, and send tha

Re: Arguing against using public IP space

On 11/13/11 7:36 AM, Jason Lewis wrote: I don't want to start a flame war, but this article seems flawed to me. It seems an IP is an IP. http://www.redtigersecurity.com/security-briefings/2011/9/16/scada-vendors-use-public-routable-ip-addresses-by-default.html I think I could announce private

Re: Arguing against using public IP space

Original Message - > From: "Doug Barton" > On 11/13/2011 13:27, Phil Regnauld wrote: > > That's not exactly correct. NAT doesn't imply > > firewalling/filtering. > > To illustrate this to customers, I've mounted attacks/scans on > > hosts behind NAT devices, from the inte

Re: Arguing against using public IP space

- Original Message - > From: "Roland Dobbins" > The real issue is interconnecting SCADA systems to publicly-routed > networks, not the choice of potentially routable space vs. RFC1918 > space for SCADA networks, per se. If I've an RFC1918-addressed SCADA > network which is interconnected

Re: Arguing against using public IP space

network is completely isolated then it doesn't make a bit of difference what addresses you use. -Original message- From: Jason Lewis To: "nanog@nanog.org" Sent: Sun, Nov 13, 2011 15:36:43 GMT+00:00 Subject: Arguing against using public IP space I don't want to start a fla

Re: Arguing against using public IP space

Chuck Church (chuckchurch) writes: > When you all say NAT, are you implying PAT as well? 1 to 1 NAT really > provides no security. But with PAT, different story. Are there poor > implementations of PAT that don't enforce an exact port/address match for > the translation table? If the translatio

Re: Arguing against using public IP space

Doug Barton (dougb) writes: > On 11/13/2011 13:27, Phil Regnauld wrote: > > That's not exactly correct. NAT doesn't imply firewalling/filtering. > > To illustrate this to customers, I've mounted attacks/scans on > > hosts behind NAT devices, from the interconnect network immediately > >

RE: Arguing against using public IP space

e 'helpers' that allow ftp to work passively to blame? Chuck -Original Message- From: Doug Barton [mailto:do...@dougbarton.us] Sent: Sunday, November 13, 2011 4:49 PM To: Phil Regnauld Cc: nanog@nanog.org Subject: Re: Arguing against using public IP space On 11/13/2011 13:27,

Re: Arguing against using public IP space

On Sun, Nov 13, 2011 at 12:13 PM, William Herrin wrote: > On Sun, Nov 13, 2011 at 11:38 AM, Robert Bonomi > wrote: >> On Sun, 13 Nov 2011 10:36:43 -0500, Jason Lewis >> wrote; >>> http://www.redtigersecurity.com/security-briefings/2011/9/16/scada-vendors-use-public-routable-ip-addresses-by-defa

Re: Arguing against using public IP space

On 11/13/2011 13:27, Phil Regnauld wrote: > That's not exactly correct. NAT doesn't imply firewalling/filtering. > To illustrate this to customers, I've mounted attacks/scans on > hosts behind NAT devices, from the interconnect network immediately > outside: if you can point

Re: Arguing against using public IP space

William Herrin (bill) writes: > If your machine is addressed with a globally routable IP, a trivial > failure of your security apparatus leaves your machine addressable > from any other host in the entire world which wishes to send it > packets. In the parlance, it tends to "fail open." Machines us

Re: Arguing against using public IP space

Hey. On 14/11/2011, Jimmy Hess wrote: > In other words, your use of RFC1918 address space alone does not > create security. I had this crazy idea that somewhere in the rfcs was a "should" that manufacturers block private address space (i.e. hard coded) but it's not (in fact the opposite). Obviou

Re: Arguing against using public IP space

On Sun, Nov 13, 2011 at 11:38 AM, Robert Bonomi wrote: > On Sun, 13 Nov 2011 10:36:43 -0500, Jason Lewis > wrote; >> http://www.redtigersecurity.com/security-briefings/2011/9/16/scada-vendors-use-public-routable-ip-addresses-by-default.html > > Any article that claims a /12 is a 'class B', and a

Re: Arguing against using public IP space

I was involved in a security review of a SCADA system a couple of years ago. Their guy was very impressed with himself and his "Internet air-gap" but managed to leave all their ops consoles on both the SCADA network and their internal corp LAN. Their corp LAN was a mess with holes through their

Re: Arguing against using public IP space

On Sun, Nov 13, 2011 at 10:38 AM, Robert Bonomi wrote: > On Sun, 13 Nov 2011 10:36:43 -0500, Jason Lewis > wrote; > In addition, virtually _every_ ASN operator has ingress filters on their > border routers to block almost all traffic to RFC-1918 destinations. Well, when we are talking about sel

Re: Arguing against using public IP space

On 14/11/2011, Jason Lewis wrote: > I don't want to start a flame war, If you didn't write it I wouldn't stress about that. > but this article seems flawed to > me. Me too. > It seems an IP is an IP. Yes but in IPv4 land there is a difference although probably not in the way the author "sugg

Re: Arguing against using public IP space

On Nov 13, 2011, at 10:36 PM, Jason Lewis wrote: > I don't want to start a flame war, but this article seems flawed to me. The real issue is interconnecting SCADA systems to publicly-routed networks, not the choice of potentially routable space vs. RFC1918 space for SCADA networks, per se. I

Re: Arguing against using public IP space

On Sun, 13 Nov 2011 10:36:43 -0500, Jason Lewis wrote; > > I don't want to start a flame war, but this article seems flawed to > me. Any article that claims a /12 is a 'class B', and a /16 is a 'Class C', is DEFINITELY 'flawed'. > It seems an IP is an IP. True. *BUT*, "some IP's are mo

Arguing against using public IP space

I don't want to start a flame war, but this article seems flawed to me. It seems an IP is an IP. http://www.redtigersecurity.com/security-briefings/2011/9/16/scada-vendors-use-public-routable-ip-addresses-by-default.html I think I could announce private IP space, so doesn't that make this argume