[97209] in North American Network Operators' Group
RE: Security gain from NAT
daemon@ATHENA.MIT.EDU (Howard C. Berkowitz)
Mon Jun 4 16:50:19 2007
From: "Howard C. Berkowitz" <hcb@netcases.net>
To: "'NANOG list'" <nanog@nanog.org>
Date: Mon, 4 Jun 2007 15:28:17 -0400
In-Reply-To: <46646220.4080709@spacething.org>
Errors-To: owner-nanog@merit.edu
I'm sure everyone understands the underlying principle, but I'm constantly
making the point that even the best firewall is not a total security
solution. Forget antivirus, IDS, host authentication, etc., and just look on
the perimeter.
At least four device types lead inside from the DMZ:
NAT
Firewalls of various flavors
VPN concentrators/security gateways
Rate-limiting anti-DOS devices to protect host-to-host encryption
For small and medium enterprises, these functions might, as an
implementation choice, reside in the same box; NAT is most likely to coexist
with firewalling or VPN concentration. The latter gets a little Zen-ish if
the VPN concentrator acts as a separately addressed proxy anyway.
-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Sam
Stickland
Sent: Monday, June 04, 2007 3:04 PM
To: Joe Abley
Cc: Jim Shankland; Owen DeLong; NANOG list
Subject: Re: Security gain from NAT
Joe Abley wrote:
>
>
> On 4-Jun-2007, at 14:32, Jim Shankland wrote:
>
>> Shall I do the experiment again where I set up a Linux box
>> at an RFC1918 address, behind a NAT device, publish the root
>> password of the Linux box and its RFC1918 address, and invite
>> all comers to prove me wrong by showing evidence that they've
>> successfully logged into the Linux box?
>
> Perhaps you should run a corresponding experiment whereby you set up a
> linux box with a globally-unique address, put it behind a firewall
> which blocks all incoming traffic to that box, and issue a similar
> invitation.
>
> Do you think the results will be different?
I fear a somewhat more cynical person could interpret the results of
such an experiment to mean that NAT is as good as a firewall ;)
S
