[97217] in North American Network Operators' Group
Security gain from NAT (was: Re: Cool IPv6 Stuff)
daemon@ATHENA.MIT.EDU (Jim Shankland)
Mon Jun 4 17:34:12 2007
From: Jim Shankland <nanog@shankland.org>
To: Valdis.Kletnieks@vt.edu
Cc: NANOG list <nanog@nanog.org>
In-Reply-To: <22037.1180988690@turing-police.cc.vt.edu>
Date: Mon, 04 Jun 2007 13:41:05 -0700
Errors-To: owner-nanog@merit.edu
Valdis.Kletnieks@vt.edu writes:
> Let's not forget all the NAT boxes out there that are *perfectly*
> willing to let a system make an *outbound* connection. So the user
> makes a first outbound connection to visit a web page, gets exploited,
> and the exploit then phones home to download more malware.
>
> Yeah, that NAT *should* be providing security, but as you point out,
> there's that big gap between should and is... :)
I will happily (well ...) further concede that NAT does not provide
*absolute* security. Let me be the first to mention that NAT provides
precisely zero protection against: "Hey, kids, just download and
run this .EXE to see a cute cartoon of Santa dancing with a polar
bear" :-).
Jim
