Tag Archives: Network Design

Bad IPv6 Approaches

IPv6, , , , , , , , , , ,

I just got a few emails from an administrator of a medium-sized company, asking some IPv6 questions. They want to use IPv6 to reach the Internet, using two ISPs, while remaining IPv4-only on their internal networks. For whatever reason, they came across three different ideas that were almost completely wrong, speaking of a sound IPv6 design. But why? Maybe because IPv4 thinking is a bigger problem than we ever thought? Or because admins rely on firewall vendors (like Fortinet) that suggest completely wrong network approaches?

Let’s dig into some misconceptions concerning IPv6:

Continue reading Bad IPv6 Approaches

Why Ping is no Security Flaw! (But your Friend)

Design/Policy, Ping/Traceroute, Security, , , , , , , , ,

One core topic when designing firewall policies is the following question: Is ping a security attack? Should ICMP echo-request messages be blocked in almost any directions?

My short answer: Ping is your friend. :) You won’t block hackers if you block ping. Instead, ping is quite useful for network administrators checking basic network connectivity. That is: I suggest allowing ping anywhere around, accept incoming connections from the Internet to the trusted networks.

Here comes a discussion:

Continue reading Why Ping is no Security Flaw! (But your Friend)

Why NAT has nothing to do with Security!

Design/Policy, NAT, Privacy, Security, , ,

During my job I am frequently discussing with people why they use NAT or why they believe that NAT adds any security to their networks, mainly some obscurity as NAT (PAT) hides the internal network structure. However, NAT does not add any real security to a network while it breaks almost any good concepts of a structured network design. To emphasize this thesis, here is a discussion:

Continue reading Why NAT has nothing to do with Security!