[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]

To: "John Spence, CCSI, CCNA, CISSP" <jspence@native6.com>
Subject: Re: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
Date: Wed, 6 Apr 2005 13:27:24 +0930
Cc: v6ops@ops.ietf.org
In-reply-to: <200504060315.j363FFpm020258@hestia.native6.com>
References: <20050406123322.13307cb8.ipng@69706e6720323030352d30312d31340a.nosense.org> <200504060315.j363FFpm020258@hestia.native6.com>

Hi John,

On Tue, 5 Apr 2005 20:15:10 -0700
"John Spence, CCSI, CCNA, CISSP" <jspence@native6.com> wrote:

> 
> Mark;
> 
> Good points all.  I agree, host firewall is evolving fast, and will be more
> and more commonly deployed in the future.
> 
> But are you suggesting that the NAP draft, in an effort to push peer-to-peer
> "all the way", advocate removing edge firewalls and ACL in favor of only
> deploying distributed firewalls?  I think that would be going way to far.
> The best way to pry NAT out of the hands of IPv4-oriented security managers
> is to make the case *for* stateful firewalls over NAT routers - not to try
> to suggest, at this stage, that even the stateful firewalls should be pulled
> in favor of having the end nodes use host firewalls to support peer-to-peer
> networking in the purest sense.

Yes and no :-)

Yes, because I think that as the move to IPv6 is relatively disruptive
("disruptive" in the sense that deploying a new technology on a large
scale is usually disruptive no matter how well it is done - it is always
a significant change) it is a good opportunity also (re)introduce ideas
that we know in the long term will be beneficial. I think the
introduction of IPv6 is also an opportunity to change the way people
think and do things with and in their network.

For example, as I mentioned, modern OSes have firewalling out of the
box. From what I'm aware of, the only component missing, at least in the
commercial space i.e., products you can buy, for scalable host based
firewalling is mechanisms to deploy the (corporate) firewalling policy
to the host. I think it just may be around the corner though - server
based authentication services obviously exist, user "login scripts" that
are pushed to the users host after authentication have been around a for
a long time, its just a matter of a commercially available mechanism to
push firewall policy to the user host in a similar manner to login
scripts. 

No, because I realise that people don't necessarily like change, and
also like to apply existing and understood models of operation to new
environments or technologies.

Summarising, I'd like to see IPv6 used as an opporunity to introduce and
promote new thinking (well old, but new to most IPv4 people), and
provide "new" models of deployment. However, for those who are more
resistant to new thinking, identify "old" IPv4 mechanisms and how they
can work with IPv6 as a "fall back" alternative to new thinking or as
part of a migrationary path to "new thinking".

Regards,
Mark.
-- 

    The Internet's nature is peer to peer.

Follow-Ups:
- Re: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>

References:
- Re: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
- RE: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
  - From: "John Spence, CCSI, CCNA, CISSP" <jspence@native6.com>

Prev by Date: RE: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
Next by Date: Re: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
Previous by thread: RE: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
Next by thread: Re: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
Index(es):
- Date
- Thread