RE: Arguing against using public IP space

["Chuck Church" <chuckchurch () gmail com>]

When you all say NAT, are you implying PAT as well?  1 to 1 NAT really
provides no security.  But with PAT, different story.  Are there poor
implementations of PAT that don't enforce an exact port/address match for
the translation table?  If the translation table isn't at fault, are the
'helpers' that allow ftp to work passively to blame? 

Chuck

-----Original Message-----
From: Doug Barton [mailto:dougb () dougbarton us] 
Sent: Sunday, November 13, 2011 4:49 PM
To: Phil Regnauld
Cc: nanog () nanog org
Subject: Re: Arguing against using public IP space

On 11/13/2011 13:27, Phil Regnauld wrote:
>       That's not exactly correct. NAT doesn't imply firewalling/filtering.
>       To illustrate this to customers, I've mounted attacks/scans on
>       hosts behind NAT devices, from the interconnect network immediately
>       outside: if you can point a route with the ext ip of the NAT device
>       as the next hop, it usually just forwards the packets...

Have you written this up anywhere? It would be absolutely awesome to be able
to point the "NAT IS A SECURITY FEATURE!!!" crowd to an actual demonstration
of why it isn't.


Doug

-- 

                "We could put the whole Internet into a book."
                "Too practical."

        Breadth of IT experience, and depth of knowledge in the DNS.
        Yours for the right price.  :)  http://SupersetSolutions.com/