nanog mailing list archives
Re: Is NAT can provide some kind of protection?
From: Steven Kurylo <skurylo+nanog () gmail com>
Date: Wed, 12 Jan 2011 09:57:51 -0800
On Wed, Jan 12, 2011 at 9:36 AM, Jack Bates <jbates () brightok net> wrote:
As my corp IT guy put it to me, PAT forces a routing disconnect between internal and external. There is no way to reach the hosts without the firewall performing it's NAT function.
But that's not true. If you have NAT, without a firewall, I can access your internal hosts (by addressing their RFC 1918 address) because you'll be leaking your RFC 1918 addresses in and out. Granted, I might have to be in your immediate upstream, but it can be done. So at best, all it does is limit how many hops away I need to be from you to attack you. Some benefit? Yes. Enough benefit to be worth the trouble? I personally am not convinced. Considering the amount of people who mistake the amount of security NAT provides, we're probably better off without it to remove that false sense of security.
Current thread:
- Re: Is NAT can provide some kind of protection?, (continued)
- Re: Is NAT can provide some kind of protection? ML (Jan 12)
- Re: Is NAT can provide some kind of protection? Greg Ihnen (Jan 12)
- Re: Is NAT can provide some kind of protection? LorĂ¡nd Jakab (Jan 12)
- Re: Is NAT can provide some kind of protection? Valdis . Kletnieks (Jan 12)
- RE: Is NAT can provide some kind of protection? George Bonser (Jan 12)
- Re: Is NAT can provide some kind of protection? Fernando Gont (Jan 12)
- RE: Is NAT can provide some kind of protection? George Bonser (Jan 12)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 12)
- RE: Is NAT can provide some kind of protection? George Bonser (Jan 12)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 12)
- Re: Is NAT can provide some kind of protection? Steven Kurylo (Jan 12)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 12)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 12)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 12)
- Re: Is NAT can provide some kind of protection? Fernando Gont (Jan 12)
- Re: Is NAT can provide some kind of protection? Brian Keefer (Jan 15)
- Re: Is NAT can provide some kind of protection? William Herrin (Jan 15)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 15)
- Re: Is NAT can provide some kind of protection? Brandon Ross (Jan 15)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 15)
- Re: Is NAT can provide some kind of protection? Brandon Ross (Jan 15)
- Re: Is NAT can provide some kind of protection? Douglas Otis (Jan 15)