[97205] in North American Network Operators' Group
RE: Security gain from NAT (was: Re: Cool IPv6 Stuff)
daemon@ATHENA.MIT.EDU (Tony Hain)
Mon Jun 4 15:30:12 2007
Reply-To: <alh-ietf@tndh.net>
From: "Tony Hain" <alh-ietf@tndh.net>
To: "'Jim Shankland'" <nanog@shankland.org>,
"'Owen DeLong'" <owen@delong.com>
Cc: "'NANOG list'" <nanog@nanog.org>
In-Reply-To: <E1HvHM7-0007vr-6F@mail.shankland.org>
Date: Mon, 4 Jun 2007 12:12:18 -0700
Errors-To: owner-nanog@merit.edu
Jim Shankland wrote:
> Owen DeLong <owen@delong.com> writes:
> > There's no security gain from not having real IPs on machines.
> > Any belief that there is results from a lack of understanding.
>
> This is one of those assertions that gets repeated so often people
> are liable to start believing it's true :-).
>
> *No* security gain? No protection against port scans from Bucharest?
> No protection for a machine that is used in practice only on the
> local, office LAN? Or to access a single, corporate Web site?
>
> Shall I do the experiment again where I set up a Linux box
> at an RFC1918 address, behind a NAT device, publish the root
> password of the Linux box and its RFC1918 address, and invite
> all comers to prove me wrong by showing evidence that they've
> successfully logged into the Linux box? When I last did this,
> I got a handful of emails, some quite snide, suggesting I was
> some combination of ignorant, stupid, and reckless; the Linux
> box for some reason remained unmolested.
>
> Jim Shankland
Mangling the header did nothing for 'security'. The lack of state at the
network edge is the security tool here. A firewall provides that state
function without the side effect of header mangling.
If you really believe in your 1918/nat providing security, do the experiment
you propose above, but put in a state mapping for the public address of the
nat to the 1918 address of your Linux box.
Tony
