On Apr 23, 2010, at 10:34 AM, Matthew Kaufman wrote: > Matthew Kaufman wrote: >> Jack Bates wrote: >>> Matthew Kaufman wrote: >>>> But none of this does what NAT does for a big enterprise, which is to >>>> *hide internal topology*. Yes, addressing the privacy concerns that come >>>> from using lower-64-bits-derived-from-MAC-address is required, but it is >>>> also necessary (for some organizations) to make it impossible to tell that >>>> this host is on the same subnet as that other host, as that would expose >>>> information like which host you might want to attack in order to get >>>> access to the financial or medical records, as well as whether or not the >>>> executive floor is where these interesting website hits came from. >>>> >>> >>> Which is why some firewalls already support NAT for IPv6 in some form or >>> fashion. These same firewalls will also usually have layer 7 >>> proxy/filtering support as well. The concerns and breakage of a corporate >>> network are extreme compared to non-corporate networks. >> Agreed on the last point. And I'm following up mostly because I've received >> quite a few private messages that resulted from folks interpreting "hide >> internal topology" as "block access to internal topology" (which can be done >> with filters). What I mean when I say "hide internal topology" is that a >> passive observer on the outside, looking at something like web server access >> logs, cannot tell how many subnets are inside the corporation or which >> accesses come from which subnets. (And preferably, cannot tell whether or >> not two different accesses came from the same host or different hosts simply >> by examining the IP addresses... but yes, application-level cooperation -- >> in the form of a browser which keeps cookies, as an example -- can again >> expose that type of information) >> > > And to further clarify, I don't think "hide internal topology" is actually > something that needs to happen (and can show several ways in which it can be > completely violated, including using the browser and/or browser plugins to > extract the internal addresses and send them to a server somewhere which can > map it all out). But it *is* present as a mandatory checklist item on at > least one HIPPA and two SOX audit checklists I've seen,.. and IT departments > in major corporations care much more these days about getting a clean SOX > audit than they do about providing connectivity... and given how each affects > the stock price, that's not surprising. > > Matthew Kaufman
Yes, much education is required to the audit community. Owen
