[97233] in North American Network Operators' Group
Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)
daemon@ATHENA.MIT.EDU (Brandon Butterworth)
Mon Jun 4 19:41:13 2007
Date: Tue, 5 Jun 2007 00:16:45 +0100 (BST)
From: Brandon Butterworth <brandon@rd.bbc.co.uk>
To: nanog@nanog.org
Errors-To: owner-nanog@merit.edu
> I posit that a screen door does not provide any security. A lock and
> deadbolt provide some security. NAT/PAT is a screen door.
> Not having public addresses is a screen door. A stateful inspection
> firewall is a lock and deadbolt.
It's tedious getting in and out with a lock and a deadbolt so we
don't bother. The screen door stops some bugs flying in.
I don't see why people make a big deal of this, to the extent of trying
to stop people doing NAT if they want to in v6. People can break their
connection if they want, for some a box that does what a pre configured
NAT box does is more security than they would have if left to configure
something else (child wants some p2p, child opens ports and a few
others over time, firewall is pointless)
Assuming NAT cannot exist is what annoys me as it also breaks a lot
of proxy firewalls too by trying to force an end to end model that
doesn't suit all.
Back to "rabbit season" "duck season" discussion...
brandon
