[125955] in North American Network Operators' Group
Re: the alleged evils of NAT,
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Apr 27 14:49:29 2010
To: Jon Lewis <jlewis@lewis.org>
In-Reply-To: Your message of "Tue, 27 Apr 2010 14:37:08 EDT."
<Pine.LNX.4.61.1004271429530.5148@soloth.lewis.org>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 27 Apr 2010 14:47:26 -0400
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1272394046_4032P
Content-Type: text/plain; charset=us-ascii
On Tue, 27 Apr 2010 14:37:08 EDT, Jon Lewis said:
> Maybe we want end-to-end to break.
>
> Firewalls can trivially be misconfigured such that they're little more
> than routers, fully exposing all the hosts behind them to everything bad
> the internet has to offer (hackers, malware looking to spread itself,
> etc.).
>
> At least with NAT, if someone really screws up the config, the "inside"
> stuff is all typically on non-publicly-routed IPs, so the worst likely to
> happen is they lose internet, but at least the internet can't directly
> reach them.
You *do* realize that the skill level needed to misconfigure a firewall
into that state, and the skill level needed to do the exact same thing to
a firewall-NAT box, are *both* less than the skill level needed to remember
to also deploy traffic monitors so you know you screwed up, and host-based
firewalls to guard against chuckleheads screwing up the border box?
In other words, if your security scheme relies on that supposed feature of NAT,
you have *other* things you need to be working on.
--==_Exmh_1272394046_4032P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFL1zE+cC3lWbTT17ARArstAJkBXYwLsfw8PdMMcxO4mTV6OBeoIgCg2UaI
1bF8V6M+ceyaJxTTqoYruXM=
=9XVR
-----END PGP SIGNATURE-----
--==_Exmh_1272394046_4032P--
