nanog mailing list archives
Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)
From: Matthew Palmer <mpalmer () hezmatt org>
Date: Tue, 5 Jun 2007 06:57:55 +1000
On Mon, Jun 04, 2007 at 12:20:38PM -0700, Jim Shankland wrote:
But NAT *requires* stateful inspection; and the many-to-one, port translating NAT in common use all but requires affirmative steps to be taken to relay inbound connections to a designated, internal host -- the default ends up being to drop them. All this can be done without NAT, but with NAT you get it "for free".
Except for the costs of NAT, which it could be argued are, long term, higher than the costs of just setting up a firewall properly. There's also no reason why the default policy on a firewall, out of the box, cannot be "no inbound". It's not beyond the realm of possibility that the UI for the firewall device could be such that it was hard-to-impossible to turn off the "no inbound by default" rule.
I can't pass over Valdis's statement that a "good properly configured stateful firewall should be doing [this] already" without noting that on today's Internet, the gap between "should" and "is" is often large.
"In theory, there is no difference between theory and practice. In practice, there is." "There should be no difference between 'should' and 'is'. However, there is." - Matt -- I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. -- Bjarne Stroustrup
Current thread:
- Re: Security gain from NAT, (continued)
- Re: Security gain from NAT Sam Stickland (Jun 04)
- Re: Security gain from NAT Matthew Palmer (Jun 04)
- Re: Security gain from NAT Matthew Kaufman (Jun 04)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) Tony Hain (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Valdis . Kletnieks (Jun 04)
- Security gain from NAT (was: Re: Cool IPv6 Stuff) Jim Shankland (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Valdis . Kletnieks (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Dorn Hetzel (Jun 04)
- Security gain from NAT (was: Re: Cool IPv6 Stuff) Jim Shankland (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Daniel Senie (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Matthew Palmer (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Edward B. DREGER (Jun 04)
- Re: Security gain from NAT Richard P. Welty (Jun 04)
- Re: Security gain from NAT Donald Stahl (Jun 04)
- Re: Security gain from NAT Dave Israel (Jun 04)
- Re: Security gain from NAT Edward B. DREGER (Jun 04)
- Re: Security gain from NAT Fred Baker (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Larry Smith (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Matthew Palmer (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Lamar Owen (Jun 04)
- Enterprise IPv6 (Was: Cool IPv6 Stuff/Security gain from NAT) Nathan Ward (Jun 04)