[82199] in North American Network Operators' Group
Re: mh (RE: OMB: IPv6 by June 2008)
daemon@ATHENA.MIT.EDU (Jay R. Ashworth)
Fri Jul 8 16:19:03 2005
Date: Fri, 8 Jul 2005 14:10:25 -0400
From: "Jay R. Ashworth" <jra@baylink.com>
To: nanog@merit.edu
In-Reply-To: <0ff41a77bed0822853cc2cc1b1090fe1@cs.cmu.edu>; from David Andersen <dga+@cs.cmu.edu> on Fri, Jul 08, 2005 at 01:15:42PM -0400
Errors-To: owner-nanog@merit.edu
On Fri, Jul 08, 2005 at 01:15:42PM -0400, David Andersen wrote:
> On Jul 8, 2005, at 12:49 PM, Jay R. Ashworth wrote:
> > On Thu, Jul 07, 2005 at 01:31:57PM -0700, Crist Clark wrote:
> >> And if you still want "the protection of NAT," any stateful firewall
> >> will do it.
> >
> > That seems a common viewpoint.
> >
> > I believe the very existence of the Ping Of Death rebuts it.
> >
> > A machine behind a NAT box simply is not visible to the outside world,
> > except for the protocols you tunnel to it, if any. This *has* to
> > vastly reduce it's attack exposure.
>
> Not really. Consider the logic in a NAT box:
[ ... ]
> and the logic in a stateful firewall:
Sorry. Given my other-end-of-the-telescope perspective, I was
envisioning an *on-machine* firewall, rather than a box. Clearly *any*
sort of box in the middle helps in the fashion I alluded to, whether it
NATs or not.
Cheers,
-- jra
--
Jay R. Ashworth jra@baylink.com
Designer Baylink RFC 2100
Ashworth & Associates The Things I Think '87 e24
St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274
If you can read this... thank a system administrator. Or two. --me
