Sander Steffann wrote:
Hi,
In fact, and call me crazy, but I can't help but wonder how
many enterprises
out there will see IPv6 and its concept of "real IPs for all machines,
internal and external!" and respond with "Hell No."
Anyone got any numbers for that? I'm happy to admit I don't. :)
No numbers, but the customers I talked to usually have the feeling that
public IP addresses on their machines seems to imply publicly (and thus
unprotected) reachability for those machines. They don't understand the
difference between NAT and stateful firewalls...
This is what leads to the "Hell No" attitude in my case. Educating them
about security seems the only solution.
I think that rather than attempting to educate their customers about
security firewall vendors will probably just sell a NAT capable IPv6
firewall. It's the path of least resistance to profit. (A lot of
mainstream vendors have helped push the idea that NAT is synonymous with
firewalling. Take the Cisco PIX as an example, where up until very
recently you had to configure NAT to allow traffic through the device.)
Even people I have spoken that understand the difference between
firewalling/reachability and NATing are still in favour of NAT. The
argument basically goes "Yes, I understand that have a public address
does not neccessarily mean being publically reachable. But having a
private address means that [inbound] public reachability is simply not
possible without explicit configuration to enable it". i.e. NAT is seen
as a extra layer of security.
I want NAT to die but I think it won't.
S
