[146495] in North American Network Operators' Group
Re: Ok; let's have the "Does DNAT contribute to Security" argument
daemon@ATHENA.MIT.EDU (William Herrin)
Mon Nov 14 19:07:40 2011
In-Reply-To: <alpine.OSX.1.10.1111141447170.8578@rastawifi.orthanc.ca>
From: William Herrin <bill@herrin.us>
Date: Mon, 14 Nov 2011 19:06:13 -0500
To: Lyndon Nerenberg <lyndon@orthanc.ca>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, Nov 14, 2011 at 6:01 PM, Lyndon Nerenberg <lyndon@orthanc.ca> wrote=
:
> But a NAT implementation adds thousands of lines of code to the path the
> packets take, and any time you introduce complexity you decrease the over=
all
> security of the system. =A0And the complexity extends beyond the NAT box.
> =A0Hacking on IPsec, SIP, and lord knows what else to work around address
> rewriting adds even more opportunities for something to screw up.
>
> If you want security, you have to DEcrease the number of lines of code in
> the switching path, not add to it.
Hi Lyndon,
Counterpoint:
Using two firewalls in serial from two different vendors doubles the
complexity. Yet it almost always improves security: fat fingers on one
firewall rarely repeat the same way on the second and a rogue packet
must pass both.
The same two firewalls in parallel surely reduces security.
Is complexity the enemy of security? In general principle yes, but as
with many things IT DEPENDS.
Regards,
Bill Herrin
--=20
William D. Herrin ................ herrin@dirtside.com=A0 bill@herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
