North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Access to the IPv4 net for IPv6-only systems, was: Re: WG Action: Conclusion of IP Version 6 (ipv6)
At 09:13 AM 10/2/2007, Iljitsch van Beijnum wrote:
On 2-okt-2007, at 15:05, Adrian Chadd wrote:
It might help if you understood why deep packet inspection firewalls exist. If it were as easy as opening holes and trusting hosts, Cisco would not have a market for its PIX/ASA products, SonicWALL wouldn't exist, Juniper wouldn't have bought NetScreen, and so forth. The reality is end hosts are not sufficiently secure. Network security is built in layers. Sure, you use whatever you can in the hosts, but you don't trust it.
Microsoft has had some spectacular holes that impacted even uninfected hosts (by DDoS) such as CodeRed. And this isn't a knock on Microsoft. There've been security issues with most systems at one point or another. Trusting end systems is insufficient.
Site security policies are often far more complex than can be addressed by the servers to be protected, and involve VPN access, time-of-day rulesets, attack signature analysis and the like.
You can have an ALG, the application or the OS do this. As you probably know by now, I don't favor the ALG approach.
That's great that you don't favor it, but firewalls with stateful inspection can and do look deep into packets to figure out if the packets are legitimate. These devices sell, because they help. This, like NAT, is something that came about because of need. IPv6 does not remove the need for firewalls. Arguably because of the volume of relatively untested software involved on the hosts, firewalls will be quite important.
End-to-end-ness is and has been "busted" in the corporate world AFAICT for a number of years. IPv6 "people" seem to think that simply providing globally unique addressing to all endpoints will remove NAT and all associated trouble. Guess what - it probably won't.
So I'm sure you've explained to the firewall vendors they should be selling proxy boxes instead, and they've listened to you. Sorry the market has dictated solutions you don't like. Time to move on, and stop fighting a battle that's been lost.