Working on a site out of town. Learning many new things. The crash course in PPPOE was interesting.
Routing and Switching class final is tomorrow. Need to schedule the CCENT for about 2 weeks from then. That should give me enough time, without being too much time.
I think I've come to the conclusion that IPv6 will permanently be a WAN interface technology, while the world uses dual stack routers to NAT into IPv4 private addresses.
One bad tracert and a nefarious person could find your entire inner networking scheme. But that doesn't work if NAT is involved. The door shuts at the front door, and not somewhere inside. That's really the problem with globally routable IP addresses inside your network. If you don't have tracert blocked, you'll end up giving away your entire network structure.
It's not the "one shot, one kill" approach to network security. There isn't such a thing. There is only security in depth. Walls and trenches and gates and guards and ACLs and NAT and every other thing you can possibly through between you and the outside world. Maybe some machine gun nests and razor wire, as well.
Showing posts with label IPv6. Show all posts
Showing posts with label IPv6. Show all posts
Monday, May 11, 2015
Monday, October 27, 2014
Information Density
I spent most of the last couple of days studying Cisco Introduction to Networks material. The chapter on IP addressing was incredibly dense. I ended up taking 25 pages of written notes during the entire thing.
I think what I learned from all of it is the future of the Internet is in the hands of two distinctly different people with distinctly different goals. One wants unlimited access to everything and no security. The other wants security.
There was a time when the Internet was time when the Internet was this wild, woolly place of hope and adventure. It was the great playground of intellectuals and only those in the know could manipulate the world. Which was great in theory, but not in practice. Eventually you ran into a human problem, not a technology problem.
I guess it narrows down to the simple fact that people want to get paid for their work. And the other group believes the Internet should be a free trading ground of ideas. I think both ideas are capable, but designing the Internet towards one or the other is short-sighted.
From a security standpoint, the argument is that with IPv6, you should use normal router and device hardening techniques and that should be fine. That idea was designed by someone who never had to protect a network, or anything for that matter. Security wise, you should always design for security in depth. There should be multiple, complimentary levels of security. Combining router hardening with NAT and PAT, VLANs, VPNs, network obfuscation and no DHCP pool and you've got the beginnings of security. I said beginnings, because each technology has its failings.
It's a big blue marble out there, and a lot of cooks with different plans make for an interesting mix.
I think what I learned from all of it is the future of the Internet is in the hands of two distinctly different people with distinctly different goals. One wants unlimited access to everything and no security. The other wants security.
There was a time when the Internet was time when the Internet was this wild, woolly place of hope and adventure. It was the great playground of intellectuals and only those in the know could manipulate the world. Which was great in theory, but not in practice. Eventually you ran into a human problem, not a technology problem.
I guess it narrows down to the simple fact that people want to get paid for their work. And the other group believes the Internet should be a free trading ground of ideas. I think both ideas are capable, but designing the Internet towards one or the other is short-sighted.
From a security standpoint, the argument is that with IPv6, you should use normal router and device hardening techniques and that should be fine. That idea was designed by someone who never had to protect a network, or anything for that matter. Security wise, you should always design for security in depth. There should be multiple, complimentary levels of security. Combining router hardening with NAT and PAT, VLANs, VPNs, network obfuscation and no DHCP pool and you've got the beginnings of security. I said beginnings, because each technology has its failings.
It's a big blue marble out there, and a lot of cooks with different plans make for an interesting mix.
Subscribe to:
Posts (Atom)