Firewall Wizards mailing list archives

RE: NAT Pseudo Security

From: David Lang <dlang () digitalinsight com>
Date: Wed, 5 May 2004 17:58:12 -0700 (PDT)

The ready availability and deployment of Linux on low end router type
devices is makeing it so that when many people talk about the capabilities
of NAT they include PAT (port address translation, masquerading, etc)
becouse they don't even realize that that this is a different beast then
the traditional NAT. (for that matter, for several releases of linux the
kernel only knoew how to do PAT, NAT is a relativly recent addition)

while egress filtering is important for many reasons, the simple step of
blocking inbound connections is a great beginning.

David Lang


 On Wed, 5 May 2004, Frank Knobbe wrote:

On Wed, 2004-05-05 at 02:49, Ben Nagy wrote:

Here are Paul, Mike and I rehashing the saaaame argument in 2002, two

years

after the thread Mike notes - even with a deja vu reference to the

older

thread. Irony. :/


Hey Ben,

I prefer people pull out old topics and discuss them fresh from time to
time. While a FAQ is useful for guiding those that seek knowledge, I
think it's very important that we periodically review those things that
we hammered in stone a few years ago. The chances that we see it in a
different light, or have new thoughts on it, are well worth the
rehashing.

What was fascinating about this post was that the OP asked if NAT is
enough of a security measure, but then began to describe what sounded
like a firewall. Apparently there was a disconnect between the concepts
of NAT (as in plain-dumb-router-style NAT) and a product that does NAT
(like a SOHO firewall). At least that's what how it appeared to me just
before I hit CTRL-D. Perhaps I misread the post.

Anyhow, let's not complain if someone brings up old topics, but take a
minute to look at it again, and either nod approvingly or go "hey,
here's a new thought". Remember, the risks of TCP resets were discussed
decades ago, and we just now got around to improving router security.
:)

Cheers,
Frank


-- 
"Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it." - Brian W. Kernighan
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

NAT Pseudo Security Lee T. Christie (May 04)
- Re: NAT Pseudo Security Srini (May 04)
- Re: NAT Pseudo Security Mikael Olsson (May 04)
  - RE: NAT Pseudo Security Ben Nagy (May 05)
    - RE: NAT Pseudo Security Paul D. Robertson (May 05)
    - RE: NAT Pseudo Security Frank Knobbe (May 05)
    - RE: NAT Pseudo Security Paul D. Robertson (May 05)
    - RE: NAT Pseudo Security David Lang (May 06)
- <Possible follow-ups>
- Re: NAT Pseudo Security salgak (May 04)
  - VPN testing utility lordchariot (May 04)
  - Re: NAT Pseudo Security R. DuFresne (May 05)
- RE: NAT Pseudo Security Melson, Paul (May 04)
- RE: NAT Pseudo Security Sloane, David (May 04)
- RE: NAT Pseudo Security Chris Carlson (May 04)
- RE: NAT Pseudo Security Daniel Chemko (May 06)
  - RE: NAT Pseudo Security David Lang (May 06)
- RE: NAT Pseudo Security Melson, Paul (May 06)