[97239] in North American Network Operators' Group
Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)
daemon@ATHENA.MIT.EDU (Matthew Palmer)
Mon Jun 4 20:35:15 2007
Date: Tue, 5 Jun 2007 09:51:08 +1000
From: Matthew Palmer <mpalmer@hezmatt.org>
To: NANOG list <nanog@nanog.org>
Mail-Followup-To: NANOG list <nanog@nanog.org>
In-Reply-To: <200706041531.00166.lesmith@ecsis.net>
Errors-To: owner-nanog@merit.edu
On Mon, Jun 04, 2007 at 03:31:00PM -0500, Larry Smith wrote:
>
> On Monday 04 June 2007 13:54, Valdis.Kletnieks@vt.edu wrote:
> > On Mon, 04 Jun 2007 11:32:39 PDT, Jim Shankland said:
> > > *No* security gain? No protection against port scans from Bucharest?
> > > No protection for a machine that is used in practice only on the
> > > local, office LAN? Or to access a single, corporate Web site?
> >
> > Nope. Zip. Zero. Ziltch. Nothing over and above what a good properly
> > configured stateful *non*-NAT firewall should be doing for you already.
>
> Cool, then I need four of these firewalls, and two Class-C (512) worth of IP
> space that works behind my current ISP at no more than $39.95 each (my basic
> price for a Dlink, Netgear, etc cable/dsl router with NAT) with no additional
> cost to my monthly internet - and I will start switching over networks...
>
> Yes, I am joking, but the point being that _currently_ NAT serves a purpose;
Yes, it does -- conservation of address space (and routing table entries,
possibly). However, a quick glance at the subject line and the material you
quoted should suggest that we're talking about a different topic.
- Matt
--
I was punching a text message into my phone yesterday and thought, "they need
to make a phone that you can just talk into."
-- Major Thomb
