nanog mailing list archives
Re: Security gain from NAT
From: Dave Israel <davei () otd com>
Date: Mon, 04 Jun 2007 15:22:11 -0400
Valdis.Kletnieks () vt edu wrote:
On Mon, 04 Jun 2007 11:32:39 PDT, Jim Shankland said:*No* security gain? No protection against port scans from Bucharest? No protection for a machine that is used in practice only on the local, office LAN? Or to access a single, corporate Web site?Nope. Zip. Zero. Ziltch. Nothing over and above what a good properly configured stateful *non*-NAT firewall should be doing for you already.
What the firewall *should* be doing? The end devices *should* not need protection in the first place, because they *should* be secure as individual devices. But they are not. So you put a firewall in front of them, and that device *should* give them all the protection they need. But sometimes, it doesn't. So you make end devices unaddressable by normal means, and while it shouldn't give them more security, it turns out it does. No matter how much it shouldn't, and how much we wish it didn't, it does.
The difference between theory and practice is that in theory, there is no difference, but in practice, there is.
Current thread:
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff), (continued)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Valdis . Kletnieks (Jun 04)
- Security gain from NAT (was: Re: Cool IPv6 Stuff) Jim Shankland (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Valdis . Kletnieks (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Dorn Hetzel (Jun 04)
- Security gain from NAT (was: Re: Cool IPv6 Stuff) Jim Shankland (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Daniel Senie (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Matthew Palmer (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Edward B. DREGER (Jun 04)
- Re: Security gain from NAT Richard P. Welty (Jun 04)
- Re: Security gain from NAT Donald Stahl (Jun 04)
- Re: Security gain from NAT Dave Israel (Jun 04)
- Re: Security gain from NAT Edward B. DREGER (Jun 04)
- Re: Security gain from NAT Fred Baker (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Larry Smith (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Matthew Palmer (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Lamar Owen (Jun 04)
- Enterprise IPv6 (Was: Cool IPv6 Stuff/Security gain from NAT) Nathan Ward (Jun 04)