[146507] in North American Network Operators' Group
Re: Arguing against using public IP space
daemon@ATHENA.MIT.EDU (Leigh Porter)
Tue Nov 15 05:56:19 2011
From: Leigh Porter <leigh.porter@ukbroadband.com>
To: "McCall, Gabriel" <Gabriel.McCall@thyssenkrupp.com>
Date: Tue, 15 Nov 2011 10:57:32 +0000
In-Reply-To: <28059c8f-d60b-49ce-a0a8-63544eea2e05@blur>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 14 Nov 2011, at 18:52, "McCall, Gabriel" <Gabriel.McCall@thyssenkrupp.c=
om> wrote:
> Chuck, you're right that this should not happen- but the reason it shoul=
d not happen is because you have a properly functioning stateful firewall,=
not because you're using NAT. If your firewall is working properly, then =
having public addresses behind it is no less secure than private. And if y=
our firewall is not working properly, then having private addresses behind=
it is no more secure than public. In either case, NAT gains you nothing o=
ver what you'd have with a firewalled public-address subnet.
Well this is not quite true, is it.. If your firewall is not working and y=
ou have private space internally then you are a lot better off then if you=
have public space internally! So if your firewall is not working then hav=
ing private space on one side is a hell of a lot more secure!
As somebody else mentioned on this thread, a NAT box with private space on=
one side fails closed.
--
Leigh
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email=20
______________________________________________________________________
