Just out of curiosity, how does removing port address translation from the equation magically and suddenly make everything exposed, and un-invent the firewall?
-Blake On Tue, Apr 29, 2014 at 11:00 PM, Jeff Kell <jeff-k...@utc.edu> wrote: > On 4/29/2014 11:37 PM, TheIpv6guy . wrote: >> On Tue, Apr 29, 2014 at 7:54 PM, Jeff Kell <jeff-k...@utc.edu> wrote: >>> On 4/29/2014 2:06 PM, Owen DeLong wrote: >>>> If everyone who had 30+ inaggregable IPv4 prefixes replaced them with 1 >>>> (or even 3) IPv6 prefixes… >>>> As a bonus, we could get rid of NAT, too. ;-) >>>> /me ducks (but you know I had to say it) >>> Yeah, just when we thought Slammer / Blaster / Nachi / Welchia / etc / >>> etc had been eliminated by process of "can't get there from here"... we >>> expose millions more endpoints... >>> >>> /me ducks too (but you know *I* had to say it) >>> >> No ducking here. You forgot Nimda. Do you have an example from the >> last 10 years of this class ? > > Oh? Anything hitting portmapper (tcp/135), or CIFS (tcp/445), or RDP > (tdp/3389 -- CVE-2012-0002 ring any bells?). > > The vulnerabilities never stop. We just stop paying attention because > most of us have blocked 135-139 and 445 and 3389 at the border long ago. > > Now granted that 80/443 (server-side) are more dangerous these days :) > But that doesn't eliminate the original risks. > > These are ports that were originally open by default... and if you > "don't" have a perimeter policy, you're "wrong" (policy, compliance, > regulation, etc). > > Not to mention that PCI compliance requires you are RFC1918 (non-routed) > at your endpoints, but I digress... > > Jeff >
