[LINK] www.ipv6.org.au/summit
Kim Holburn
kim at holburn.net
Tue Sep 2 16:58:37 AEST 2008
On 2008/Sep/02, at 3:01 AM, Karl Auer wrote:
> On Tue, 2008-09-02 at 09:53 +1000, Saliya Wimalaratne wrote:
>> The less information revealed about any network to potentially
>> hostile
>> parties, the better. I'd call this a tangible benefit; and use this
>> benefit
>> to challenge your challenge :)
>
> Yes, it is generally true that "the less information revealed about
> any
> network to potentially hostile parties, the better". But sometimes the
> amount of "better" is so small as to be irrelevant. And sometimes the
> "better" comes at a cost which may outweigh the benefit. NAT has some
> pretty serious downsides.
>
> The simplest of packet filters can make it impossible for me to
> contact
> a machine in your network, even if I do know its address.
Even NAT firewalls which are protected by your basic packet filters +
NAT were/are subject to the cross-site scripting attacks that allowed
remote reprogramming of firewalls. So yes, you can't initiate a
contact into the network directly but you can use an internally
initiated contact to attack a machine and even then attack other
machines in that network.
Mind you in home networks those hacks only work because people hardly
ever change the defaults in their firewalls. They leave the internal
private network as the default and they mostly even leave the password
unaltered (although the password wasn't the issue with those
attacks). Most networks protected by plain packet filters have at
least one person looking after them and wouldn't be subject to those
attacks.
Home networks connect via dynamic IP so even if a hacker collected
info about the network they wouldn't have a way of keeping it or
relating it to other times they got info. A plain public network can
be probed over and over and the info collected, collated and stored.
No matter what protections the network has, someone getting in can
potentially have a lot of info about it.
> Hiding your addresses is basically another form of security through
> obscurity.
There's nothing inherently wrong with security by obscurity. It's a
good addition to any security and home users need everything they can
get. It also goes along with security by diversity which can have real
benefits.
> The addresses of your hosts really don't matter; what counts
> is how well they are protected and how well they protect themselves.
> The
> simplest of packet filters can make it impossible for me to contact a
> machine in your network, even if I do know its address.
--
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294 M: +39 3494957443
mailto:kim at holburn.net aim://kimholburn
skype://kholburn - PGP Public Key on request
Democracy imposed from without is the severest form of tyranny.
-- Lloyd Biggle, Jr. Analog, Apr 1961
More information about the Link
mailing list