[170234] in North American Network Operators' Group
Re: misunderstanding scale
daemon@ATHENA.MIT.EDU (Lee Howard)
Tue Mar 25 09:37:09 2014
Date: Tue, 25 Mar 2014 09:36:36 -0400
From: Lee Howard <Lee@asgard.org>
To: William Herrin <bill@herrin.us>
In-Reply-To: <CAP-guGXDicnvabPk9zw8mFGKTtABLVbeyN+dBoMCiK3H-qC-BQ@mail.gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>, Joe Greco <jgreco@ns.sol.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 3/24/14 2:38 PM, "William Herrin" <bill@herrin.us> wrote:
>On Mon, Mar 24, 2014 at 2:23 PM, Lee Howard <Lee@asgard.org> wrote:
>> On 3/24/14 1:37 PM, "William Herrin" <bill@herrin.us> wrote:
>>>That would be one of those "details" on which smart people disagree.
>>>In this case, I think you're wrong. Modern NAT superseded the
>>>transparent proxies and bastion hosts of the '90s because it does the
>>>same security job a little more smoothly. And proxies WERE designed to
>>>act as a security feature.
>>
>> What kinds of devices are we talking about here? Are we talking about
>>the
>> default NAT on a home network router, or an enterprise-level NAT
>>operating
>> on a firewall?
>
>Hi Lee,
>
>I don't see NAT as a deployment issue for residential networks. Most
>folks just hook their computer up to whatever CPE the vendor sends
>them without any further attention.
>
>
>> If we're talking about an enterprise firewall, then I don't
>> understand--we're talking about a firewall. If it implements a
>>symmetric
>> NAT in addition to a stateful firewall, then it's implementing the same
>> function twice. But, hey, it's your network, if
>> security-through-obscurity is one of your defense in depth layers,
>>that's
>> fine.
>
>"Obscurity" offers one or more defense layers. If you disagree, post
>your passwords here.
One that is largely mocked by security professionals. However, ULA can do
this.
>
>Unaddressibility is a second defense layer.
I offered ULA+NPT66. I don't recommend it, but it has been described as
working, and provides addresses which are not globally reachable.
>
>Stateful firewalling is a third.
We agree.
Lee
