[97208] in North American Network Operators' Group
Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)
daemon@ATHENA.MIT.EDU (Robert Bonomi)
Mon Jun 4 16:46:49 2007
Date: Mon, 4 Jun 2007 14:45:27 -0500 (CDT)
From: Robert Bonomi <bonomi@mail.r-bonomi.com>
To: nanog@merit.edu
Errors-To: owner-nanog@merit.edu
> From owner-nanog@merit.edu Mon Jun 4 13:54:55 2007
> Subject: Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)
> Date: Mon, 4 Jun 2007 14:47:06 -0400
>
> On 4-Jun-2007, at 14:32, Jim Shankland wrote:
>
> > Shall I do the experiment again where I set up a Linux box
> > at an RFC1918 address, behind a NAT device, publish the root
> > password of the Linux box and its RFC1918 address, and invite
> > all comers to prove me wrong by showing evidence that they've
> > successfully logged into the Linux box?
>
> Perhaps you should run a corresponding experiment whereby you set up
> a linux box with a globally-unique address, put it behind a firewall
> which blocks all incoming traffic to that box, and issue a similar
> invitation.
>
> Do you think the results will be different?
Consider the possible *FAILURE* modes.
e.g. (1) where somebody brings up _another_ path between the LAN that that
box is onn, and the public internet, with no translations or other
protections whatsoever.
(2) where the 'protection box' "fails open" -- e.g. passes all traffic
without modification.
NAT/PAT is 'belt and suspenders', but it *does* provide an additional layer of
protection, _if_the_primary_protection_fails_.
That 'additional protection' may or may not be 'significant', depending on
one's viewpoint.
