[146602] in North American Network Operators' Group
Re: Arguing against using public IP space
daemon@ATHENA.MIT.EDU (Dave Hart)
Thu Nov 17 00:56:42 2011
In-Reply-To: <CALFTrnOBOYDpwO_Ex8svYwkOjRWaUbHLwZynd_NBer-JH+fbjQ@mail.gmail.com>
From: Dave Hart <davehart@gmail.com>
Date: Thu, 17 Nov 2011 05:56:07 +0000
To: Ray Soucy <rps@maine.edu>
Cc: NANOG <nanog@nanog.org>
Reply-To: davehart_gmail_exchange_tee@davehart.net
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Nov 16, 2011 at 20:38, Ray Soucy <rps@maine.edu> wrote:
> I would go as far as to argue that the false sense of security
> provided by NAT is more dangerous than any current threat that NAT
> alone would prevent.
Agreed, and I don't think that's going far at all. My opinion is
_both_ stateful firewalls and NATs have been responsible for providing
cover for those who fail to secure their endpoints. Yes, dropping a
choke point in front of X hosts is X times easier than securing the X
hosts. No, it didn't secure X hosts.
"Outside is dangerous, inside is trusted" is the root of much current
evil. Breaking end-to-end and encouraging everything that needs it to
jump through ugly hoops such as UDP NAT traversal or carrying all
sorts of non-HTTP over 80 and 443 has made it harder to secure
networks, not easier.
Cheers,
Dave Hart
