[97212] in North American Network Operators' Group
Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Mon Jun 4 17:14:46 2007
To: Jim Shankland <nanog@shankland.org>
Cc: NANOG list <nanog@nanog.org>, Owen DeLong <owen@delong.com>
In-Reply-To: Your message of "Mon, 04 Jun 2007 12:20:38 PDT."
<E1HvI6Y-0008Mb-7u@mail.shankland.org>
From: Valdis.Kletnieks@vt.edu
Date: Mon, 04 Jun 2007 16:24:50 -0400
Errors-To: owner-nanog@merit.edu
--==_Exmh_1180988690_14840P
Content-Type: text/plain; charset=us-ascii
On Mon, 04 Jun 2007 12:20:38 PDT, Jim Shankland said:
> I can't pass over Valdis's statement that a "good properly configured
> stateful firewall should be doing [this] already" without noting
> that on today's Internet, the gap between "should" and "is" is
> often large.
Let's not forget all the NAT boxes out there that are *perfectly* willing
to let a system make an *outbound* connection. So the user makes a first
outbound connection to visit a web page, gets exploited, and the exploit
then phones home to download more malware.
Yeah, that NAT *should* be providing security, but as you point out, there's
that big gap between should and is... :)
--==_Exmh_1180988690_14840P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFGZHUScC3lWbTT17ARAkeiAJ9W1sb2M0VBfUJVUTAa5eH5S5YK1ACg1TsG
5sp+0qOP5fGXt6qcrskYzic=
=JiGu
-----END PGP SIGNATURE-----
--==_Exmh_1180988690_14840P--
