[134855] in North American Network Operators' Group
Re: Is NAT can provide some kind of protection?
daemon@ATHENA.MIT.EDU (Steven Kurylo)
Wed Jan 12 12:58:45 2011
In-Reply-To: <4D2DE6B0.2010308@brightok.net>
Date: Wed, 12 Jan 2011 09:57:51 -0800
From: Steven Kurylo <skurylo+nanog@gmail.com>
To: Jack Bates <jbates@brightok.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Jan 12, 2011 at 9:36 AM, Jack Bates <jbates@brightok.net> wrote:
>
> As my corp IT guy put it to me, PAT forces a routing disconnect between
> internal and external. There is no way to reach the hosts without the
> firewall performing it's NAT function.
But that's not true. If you have NAT, without a firewall, I can
access your internal hosts (by addressing their RFC 1918 address)
because you'll be leaking your RFC 1918 addresses in and out.
Granted, I might have to be in your immediate upstream, but it can be
done.
So at best, all it does is limit how many hops away I need to be from
you to attack you.
Some benefit? Yes. Enough benefit to be worth the trouble? I
personally am not convinced.
Considering the amount of people who mistake the amount of security
NAT provides, we're probably better off without it to remove that
false sense of security.
