[134870] in North American Network Operators' Group
Re: Is NAT can provide some kind of protection?
daemon@ATHENA.MIT.EDU (Owen DeLong)
Wed Jan 12 15:01:50 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <AANLkTi=0UXXE61GTba1ZEH0DP_Ba_h-KUXvq8iuifTtQ@mail.gmail.com>
Date: Wed, 12 Jan 2011 11:57:34 -0800
To: Paul Ferguson <fergdawgster@gmail.com>
Cc: "nanog@nanog.org list" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 12, 2011, at 11:21 AM, Paul Ferguson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>=20
> On Wed, Jan 12, 2011 at 11:09 AM, Owen DeLong <owen@delong.com> wrote:
>=20
>> No, NAT doesn't provide additional security. The stateful inspection =
that
>> NAT cannot operate without provides the security. Take away the
>> address mangling and the stateful inspection still provides the same
>> level of security.
>>=20
>=20
> There is a least one situation where NAT *does* provide a small amount =
of
> necessary security.
>=20
> Try this at home, with/without NAT:
>=20
> 1. Buy a new PC with Windows installed
> 2. Install all security patches needed since the OS was installed
>=20
> Without NAT, you're unpatched PC will get infected in less than 1 =
minute.
>=20
Wrong.
Repeat the experiment with stateful firewall with default inbound deny =
and no NAT.
Yep... Same results as NAT.
NAT !=3D security. Stateful inspection =3D some security.
Next!!
Owen
