Re: NAT external/Public IP

[krymson () gmail com]

This thread has spawned a lot of smaller topics that are getting mashed together, bastardized, and confused. And 
reading sec-basics was supposed to be a mini-break for me! :)


1) I dislike discussions on the value of obscurity, because the typical two parties in the discussion are often both 
correct. 

2) Correct: obscurity does not affect the security of a device itself. An unpatched Windows OS won't become more 
secure, in and of itself, because you hid it in a closet with no network. The OS is still insecure. 

3) Correct, the risk to a device is affected in a positive way by obscuring it. The risk to that Windows system is 
pretty low because it doesn't even have a network cable attached to it!

4) This can also be illustrated with our age-old example of putting SSH on an alternate port. This won't make the SSH 
daemon or user passwords any more secure, but you will see a dramatic reduction in the number of logged brute force 
attempts when it is on an odd port. This is of value to many security professionals, and should be labeled a "reduction 
of risk." Sadly, many people still just call this an "increase in security" which gets quickly mistaken.

5) Back to the topic at hand: NAT. Does NAT increase security? That is clearly not it's purpose, but it can help reduce 
risk, the same as good ACLs or firewall rules. To discuss further, we need clear examples of what we're envisioning our 
network to be. Are we assuming Internet traffic goes right to a host, all 65,535 ports? I'd rather have NAT stopping 
that (which pretty much forces us to use some firewall/acl rules), so I don't have to worry about all those ports. Does 
this increase the security of the box? Not directly. Does it mitigate risk? Yes. Does this add value? Yes.

And so on. Basically, I think most of the thread participants are correct, we're just dealing with mismatched 
definitions of terms, and mismatched illustrations where not everything is equal.