[LINK] www.ipv6.org.au/summit

Kim Holburn kim at holburn.net
Tue Sep 2 16:58:37 AEST 2008


On 2008/Sep/02, at 3:01 AM, Karl Auer wrote:

> On Tue, 2008-09-02 at 09:53 +1000, Saliya Wimalaratne wrote:
>> The less information revealed about any network to potentially  
>> hostile
>> parties, the better. I'd call this a tangible benefit; and use this  
>> benefit
>> to challenge your challenge :)
>
> Yes, it is generally true that "the less information revealed about  
> any
> network to potentially hostile parties, the better". But sometimes the
> amount of "better" is so small as to be irrelevant. And sometimes the
> "better" comes at a cost which may outweigh the benefit. NAT has some
> pretty serious downsides.
>
> The simplest of packet filters can make it impossible for me to  
> contact
> a machine in your network, even if I do know its address.

Even NAT firewalls which are protected by your basic packet filters +  
NAT were/are subject to the cross-site scripting attacks that allowed  
remote reprogramming of firewalls.   So yes, you can't initiate a  
contact into the network directly but you can use an internally  
initiated contact to attack a machine and even then attack other  
machines in that network.

Mind you in home networks those hacks only work because people hardly  
ever change the defaults in their firewalls.  They leave the internal  
private network as the default and they mostly even leave the password  
unaltered (although the password wasn't the issue with those  
attacks).  Most networks protected by plain packet filters have at  
least one person looking after them and wouldn't be subject to those  
attacks.

Home networks connect via dynamic IP so even if a hacker collected  
info about the network they wouldn't have a way of keeping it or  
relating it to other times they got info.  A plain public network can  
be probed over and over and the info collected, collated and stored.   
No matter what protections the network has, someone getting in can  
potentially have a lot of info about it.

> Hiding your addresses is basically another form of security through
> obscurity.

There's nothing inherently wrong with security by obscurity.  It's a  
good addition to any security and home users need everything they can  
get. It also goes along with security by diversity which can have real  
benefits.

> The addresses of your hosts really don't matter; what counts
> is how well they are protected and how well they protect themselves.  
> The
> simplest of packet filters can make it impossible for me to contact a
> machine in your network, even if I do know its address.

--
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3494957443
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

Democracy imposed from without is the severest form of tyranny.
                           -- Lloyd Biggle, Jr. Analog, Apr 1961






More information about the Link mailing list