[97229] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post
Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)

daemon@ATHENA.MIT.EDU (Owen DeLong)
Mon Jun 4 19:07:40 2007

In-Reply-To: <MDEHLPKNGKAHNMBLJOLKAEDAEFAC.davids@webmaster.com>
Cc: "NANOG list" <nanog@nanog.org>
From: Owen DeLong <owen@delong.com>
Date: Mon, 4 Jun 2007 15:06:11 -0700
To: davids@webmaster.com
Errors-To: owner-nanog@merit.edu



--Apple-Mail-15-824108606
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset=US-ASCII;
	delsp=yes;
	format=flowed


On Jun 4, 2007, at 1:41 PM, David Schwartz wrote:

>
>> On Jun 4, 2007, at 11:32 AM, Jim Shankland wrote:
>
>>> Owen DeLong <owen@delong.com> writes:
>>>> There's no security gain from not having real IPs on machines.
>>>> Any belief that there is results from a lack of understanding.
>
>>> This is one of those assertions that gets repeated so often people
>>> are liable to start believing it's true :-).
>
>> Maybe because it _IS_ true.
>
>>> *No* security gain?  No protection against port scans from  
>>> Bucharest?
>>> No protection for a machine that is used in practice only on the
>>> local, office LAN?  Or to access a single, corporate Web site?
>
>> Correct.  There's nothing you get from NAT in that respect that  
>> you do
>> not get from good stateful inspection firewalls.  NONE whatsoever.
>
> Sorry, Owen, but your argument is ridiculous. The original  
> statement was
> "[t]here's no security gain from not having real IPs on machines". If
> someone said, "there's no security gain from locking your doors",  
> would you
> refute it by arguing that there's no security gain from locking  
> your doors
> that you don't get from posting armed guards round the clock?

Except that's not the argument.  The argument would map better to:

There's no security gain from having a screen door in front of your
door with a lock and dead-bolt on it that you don't get from a door
with a lock and dead-bolt on it.

I posit that a screen door does not provide any security. A lock and
deadbolt provide some security.  NAT/PAT is a screen door.
Not having public addresses is a screen door.  A stateful inspection
firewall is a lock and deadbolt.

Owen


--Apple-Mail-15-824108606
Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Disposition: attachment;
	filename=smime.p7s

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGYzCCAxww
ggKFoAMCAQICEAEbWCDIgMNLAyc9zkogM9kwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkEx
JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ
ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA2MTIxODA0NTM1NloXDTA3MTIxODA0NTM1
NlowYjEPMA0GA1UEBBMGRGVMb25nMRMwEQYDVQQqEwpKYW1lcyBPd2VuMRowGAYDVQQDExFKYW1l
cyBPd2VuIERlTG9uZzEeMBwGCSqGSIb3DQEJARYPb3dlbkBkZWxvbmcuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuvAfdDkoZPESgJS02Tr7Z/FoDJ3Yz2sGXnwYm3olMfMj73jr
awKh0X0PGZ57hFEaHMFKNw/JzSnsi3N+T9JDmadOEAw1VoUwDsIQnffqrHw+1OJzqXztVE7yYNtC
JyV4qcCUjVRITw4AVGO5eSB41YOz5XiHloT48S+A8ifkQQvnVvUlgTCXFdu1qGTSoGhOjLADXrmz
f4++jMMB+2KzjLL0JRwOlkV2Ja1+g3pOAP3/DrpFNJN+TD5/nZnp35wxBU+b86mHYFKF10yURBPa
MR4gHL7bEiPxSRX2tHgY9zdqQbnimskuVm+ISP9Gm0er57zaBs655D8b6rp2bhK/2QIDAQABo08w
TTAOBgNVHQ8BAf8EBAMCA/gwEQYJYIZIAYb4QgEBBAQDAgWgMBoGA1UdEQQTMBGBD293ZW5AZGVs
b25nLmNvbTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUAA4GBAF2P0eXOwcOA2Rs2G780lTE/
AH/mZPUArN2isuNkcf621b19M4JxJRVqnzCpcA2InlZtFp0jk6HD4JMMt4yvoVwH3M4hhaP/OkxL
aFrA9oGilFnuvuUl3EQKs+L9wNMt/ZXj7xu6C25B3p6e1a0d94JjMkFIwu133xIDRCiRPv3cMIID
PzCCAqigAwIBAgIBDTANBgkqhkiG9w0BAQUFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl
c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGlu
ZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhh
d3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFp
bEB0aGF3dGUuY29tMB4XDTAzMDcxNzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkGA1UEBhMC
WkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0
ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDEpjxVc1X7TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAKMNcCY1osiRVw
jt3J8CuFWqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTXp6a7n2XRxSpUhQ9I
BH+nttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYBAf8CAQAwQwYDVR0fBDww
OjA4oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBlcnNvbmFsRnJlZW1haWxDQS5j
cmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwyLTEz
ODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2asZw9/r6y+whehQ5aUnX9MIbj4Nh+qLZ82
L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSeJVCUYsfbJ3FXJY3dqZw5jowgT2Vfldr394fW
xghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHTHUb/XV9lTzGCAxAwggMMAgEBMHYwYjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1Ro
YXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhABG1ggyIDDSwMnPc5KIDPZMAkGBSsO
AwIaBQCgggFvMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA3MDYw
NDIyMDYxMVowIwYJKoZIhvcNAQkEMRYEFIIXXU+nG4vC4gjSqaxb1JyJ7xVfMIGFBgkrBgEEAYI3
EAQxeDB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBM
dGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQARtYIMiA
w0sDJz3OSiAz2TCBhwYLKoZIhvcNAQkQAgsxeKB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxU
aGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJl
ZW1haWwgSXNzdWluZyBDQQIQARtYIMiAw0sDJz3OSiAz2TANBgkqhkiG9w0BAQEFAASCAQBpuiq6
NMbZlYCjLkcBiavsi32YAL0vTmdAFMvJLABe9MFk0nBSy2gVfJmsYmN16JyqZH8jbQaCjrpIhSzu
YT9eTYRNj8uCHqUO+EU+fIi9dkbWELklfPoTEZr114MA2wjMotPCp/GhshFxTAK42m7WK4UQQ1vA
N2wWVI8M8LLiTUT040brAtwzKVP/dp3hH1wgPZzDvPA4KxA27sdVUgees+hjRSaXnUuGt5fIRkOK
lrI8TccM9JA8u+HcWgrNEhXi5xmbiUHqlrWMmJ2rL7zZKjQXnxIiMd76C7W+G63b71y7ZxC7LH/K
PWYlR+Ny9Aa3INluFeeVKvAq3Nyp4ITXAAAAAAAA

--Apple-Mail-15-824108606--

home	help	back	first	fref	pref	prev	next	nref	lref	last	post
[97229] in North American Network Operators' Group

Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)

daemon@ATHENA.MIT.EDU (Owen DeLong)Mon Jun 4 19:07:40 2007

daemon@ATHENA.MIT.EDU (Owen DeLong)
Mon Jun 4 19:07:40 2007
