nanog mailing list archives
Re: Addressing plan exercise for our IPv6 course
From: Owen DeLong <owen () delong com>
Date: Fri, 23 Jul 2010 08:33:19 -0700
On Jul 23, 2010, at 2:50 AM, Jens Link wrote:
Owen DeLong <owen () delong com> writes:In all reality: 1. NAT has nothing to do with security. Stateful inspection provides security, NAT just mangles addresses.You know that, I know that and (hopefully) all people on this list know that. But NAT == security was and still is sold by many people.
So is snake oil.
Most customers don't know or care what NAT is and wouldn't know the difference between a NAT firewall and a stateful inspection firewall.I Agree. But there are also many people who want to believe in NAT as security feature. After one of my talks about IPv6 the firewall admins of a company said something like: "So we can't use NAT as an excuse anymore and have to configure firewall rules? We don't want this."
So how did you answer him? The correct answer is "No, you don't have to configure rules, you just need one rule supplied by default which denies anything that doesn't have a corresponding outbound entry in the state table and it works just like NAT without the address mangling". In my experience, other than a small handful of religious zealots, that explanation is sufficient to get the point across to most such admins. Owen
Current thread:
- Re: Addressing plan exercise for our IPv6 course, (continued)
- Re: Addressing plan exercise for our IPv6 course Alex Band (Jul 22)
- Re: Addressing plan exercise for our IPv6 course Matthew Walster (Jul 22)
- Re: Addressing plan exercise for our IPv6 course Valdis . Kletnieks (Jul 22)
- Re: Addressing plan exercise for our IPv6 course Matthew Kaufman (Jul 22)
- Re: Addressing plan exercise for our IPv6 course Owen DeLong (Jul 22)
- Re: Addressing plan exercise for our IPv6 course Akyol, Bora A (Jul 22)
- Re: Addressing plan exercise for our IPv6 course Mark Smith (Jul 22)
- RE: Addressing plan exercise for our IPv6 course Frank Bulk - iName.com (Jul 22)
- Re: Addressing plan exercise for our IPv6 course Owen DeLong (Jul 22)
- Re: Addressing plan exercise for our IPv6 course Jens Link (Jul 23)
- Re: Addressing plan exercise for our IPv6 course Owen DeLong (Jul 23)
- Re: Addressing plan exercise for our IPv6 course Jens Link (Jul 25)
- Re: Addressing plan exercise for our IPv6 course Matthew Palmer (Jul 25)
- Re: Addressing plan exercise for our IPv6 course Akyol, Bora A (Jul 27)
- Re: Addressing plan exercise for our IPv6 course Owen DeLong (Jul 27)
- Re: Addressing plan exercise for our IPv6 course Mark Smith (Jul 29)
- Re: Addressing plan exercise for our IPv6 course Tim Franklin (Jul 29)
- Re: Addressing plan exercise for our IPv6 course Valdis . Kletnieks (Jul 24)
- Re: Addressing plan exercise for our IPv6 course Saku Ytti (Jul 24)
- Re: Addressing plan exercise for our IPv6 course Owen DeLong (Jul 24)
- Re: Addressing plan exercise for our IPv6 course Saku Ytti (Jul 24)