[97227] in North American Network Operators' Group
RE: Security gain from NAT (was: Re: Cool IPv6 Stuff)
daemon@ATHENA.MIT.EDU (Donald Stahl)
Mon Jun 4 18:47:20 2007
Date: Mon, 4 Jun 2007 17:45:42 -0400 (EDT)
From: Donald Stahl <don@calis.blacksun.org>
To: David Schwartz <davids@webmaster.com>
Cc: "Owen@Delong. Com" <owen@delong.com>,
NANOG list <nanog@nanog.org>
In-Reply-To: <MDEHLPKNGKAHNMBLJOLKAEDAEFAC.davids@webmaster.com>
Errors-To: owner-nanog@merit.edu
> Sorry, Owen, but your argument is ridiculous. The original statement was
> "[t]here's no security gain from not having real IPs on machines". If
> someone said, "there's no security gain from locking your doors", would you
> refute it by arguing that there's no security gain from locking your doors
> that you don't get from posting armed guards round the clock?
You're argument is equally ridiculous because in order to work the NAT box
has to do stateful inspection anyway!
A better statement would be:
"there's no security gain from locking your doors" (NAT), if you have
already posted "armed guards round the clock" (Stateful Inspection)
NAT provides protection in the case where you have a stateful inspection
firewall that fails open- something that no serious firewall I have ever
seen does. If they aren't doing stateful inspection- then they aren't
routing at all (or certainly shouldn't be).
-Don
