[146522] in North American Network Operators' Group
Re: Arguing against using public IP space
daemon@ATHENA.MIT.EDU (Owen DeLong)
Tue Nov 15 10:35:08 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <6B29C0B1-6852-46CB-B3EB-1F91AF18A7B8@ukbroadband.com>
Date: Tue, 15 Nov 2011 07:32:37 -0800
To: Leigh Porter <leigh.porter@ukbroadband.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>, "McCall,
Gabriel" <Gabriel.McCall@thyssenkrupp.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Nov 15, 2011, at 2:57 AM, Leigh Porter wrote:
>=20
>=20
> On 14 Nov 2011, at 18:52, "McCall, Gabriel" =
<Gabriel.McCall@thyssenkrupp.com> wrote:
>=20
>> Chuck, you're right that this should not happen- but the reason it =
should not happen is because you have a properly functioning stateful =
firewall, not because you're using NAT. If your firewall is working =
properly, then having public addresses behind it is no less secure than =
private. And if your firewall is not working properly, then having =
private addresses behind it is no more secure than public. In either =
case, NAT gains you nothing over what you'd have with a firewalled =
public-address subnet.
>=20
>=20
> Well this is not quite true, is it.. If your firewall is not working =
and you have private space internally then you are a lot better off then =
if you have public space internally! So if your firewall is not working =
then having private space on one side is a hell of a lot more secure!
>=20
This is not true.
If your firewall is not working, it should not be passing packets.
If you put a router where you needed a firewall, then, this is not a =
failure of the firewall, but, a
failure of the network implementor and the address space will not have =
any impact whatsoever
on your lack of security.
> As somebody else mentioned on this thread, a NAT box with private =
space on one side fails closed.
>=20
So does a firewall.
Owen
