[97225] in North American Network Operators' Group
Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)
daemon@ATHENA.MIT.EDU (Dorn Hetzel)
Mon Jun 4 18:12:05 2007
Date: Mon, 4 Jun 2007 14:20:44 -0700
From: "Dorn Hetzel" <dhetzel@gmail.com>
To: "Valdis.Kletnieks@vt.edu" <Valdis.Kletnieks@vt.edu>
Cc: "Jim Shankland" <nanog@shankland.org>,
"NANOG list" <nanog@nanog.org>, "Owen DeLong" <owen@delong.com>
In-Reply-To: <22037.1180988690@turing-police.cc.vt.edu>
Errors-To: owner-nanog@merit.edu
------=_Part_10707_8257392.1180992044194
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Sure, NAT can't prevent users from running with scissors, but sometimes it
does block the scissors thrown at the back of their neck whilst they are
sleeping :)
On 6/4/07, Valdis.Kletnieks@vt.edu <Valdis.Kletnieks@vt.edu> wrote:
>
> On Mon, 04 Jun 2007 12:20:38 PDT, Jim Shankland said:
>
> > I can't pass over Valdis's statement that a "good properly configured
> > stateful firewall should be doing [this] already" without noting
> > that on today's Internet, the gap between "should" and "is" is
> > often large.
>
> Let's not forget all the NAT boxes out there that are *perfectly* willing
> to let a system make an *outbound* connection. So the user makes a first
> outbound connection to visit a web page, gets exploited, and the exploit
> then phones home to download more malware.
>
> Yeah, that NAT *should* be providing security, but as you point out,
> there's
> that big gap between should and is... :)
>
>
------=_Part_10707_8257392.1180992044194
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Sure, NAT can't prevent users from running with scissors, but sometimes it does block the scissors thrown at the back of their neck whilst they are sleeping :)<br><br>
<div><span class="gmail_quote">On 6/4/07, <b class="gmail_sendername"><a href="mailto:Valdis.Kletnieks@vt.edu">Valdis.Kletnieks@vt.edu</a></b> <<a href="mailto:Valdis.Kletnieks@vt.edu">Valdis.Kletnieks@vt.edu</a>> wrote:
</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">On Mon, 04 Jun 2007 12:20:38 PDT, Jim Shankland said:<br><br>> I can't pass over Valdis's statement that a "good properly configured
<br>> stateful firewall should be doing [this] already" without noting<br>> that on today's Internet, the gap between "should" and "is" is<br>> often large.<br><br>Let's not forget all the NAT boxes out there that are *perfectly* willing
<br>to let a system make an *outbound* connection. So the user makes a first<br>outbound connection to visit a web page, gets exploited, and the exploit<br>then phones home to download more malware.<br><br>Yeah, that NAT *should* be providing security, but as you point out, there's
<br>that big gap between should and is... :)<br><br></blockquote></div><br>
------=_Part_10707_8257392.1180992044194--
