[97210] in North American Network Operators' Group
Re: Security gain from NAT
daemon@ATHENA.MIT.EDU (Dave Israel)
Mon Jun 4 17:02:10 2007
Date: Mon, 04 Jun 2007 15:22:11 -0400
From: Dave Israel <davei@otd.com>
To: Valdis.Kletnieks@vt.edu
Cc: NANOG list <nanog@nanog.org>
In-Reply-To: <13770.1180983241@turing-police.cc.vt.edu>
X-OTD-MailScanner-From: davei@otd.com
Errors-To: owner-nanog@merit.edu
Valdis.Kletnieks@vt.edu wrote:
> On Mon, 04 Jun 2007 11:32:39 PDT, Jim Shankland said:
>> *No* security gain? No protection against port scans from Bucharest?
>> No protection for a machine that is used in practice only on the
>> local, office LAN? Or to access a single, corporate Web site?
>
> Nope. Zip. Zero. Ziltch. Nothing over and above what a good properly
> configured stateful *non*-NAT firewall should be doing for you already.
>
What the firewall *should* be doing? The end devices *should* not need
protection in the first place, because they *should* be secure as
individual devices. But they are not. So you put a firewall in front
of them, and that device *should* give them all the protection they
need. But sometimes, it doesn't. So you make end devices unaddressable
by normal means, and while it shouldn't give them more security, it
turns out it does. No matter how much it shouldn't, and how much we
wish it didn't, it does.
The difference between theory and practice is that in theory, there is
no difference, but in practice, there is.
