nanog mailing list archives
Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time...
From: William Herrin <bill () herrin us>
Date: Mon, 14 Nov 2011 19:06:13 -0500
On Mon, Nov 14, 2011 at 6:01 PM, Lyndon Nerenberg <lyndon () orthanc ca> wrote:
But a NAT implementation adds thousands of lines of code to the path the packets take, and any time you introduce complexity you decrease the overall security of the system. And the complexity extends beyond the NAT box. Hacking on IPsec, SIP, and lord knows what else to work around address rewriting adds even more opportunities for something to screw up. If you want security, you have to DEcrease the number of lines of code in the switching path, not add to it.
Hi Lyndon, Counterpoint: Using two firewalls in serial from two different vendors doubles the complexity. Yet it almost always improves security: fat fingers on one firewall rarely repeat the same way on the second and a rogue packet must pass both. The same two firewalls in parallel surely reduces security. Is complexity the enemy of security? In general principle yes, but as with many things IT DEPENDS. Regards, Bill Herrin -- William D. Herrin ................ herrin () dirtside com bill () herrin us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Current thread:
- Ok; let's have the "Does DNAT contribute to Security" argument one more time... Jay Ashworth (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Valdis . Kletnieks (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Jay Ashworth (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Michael Painter (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Jay Ashworth (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Rubens Kuhl (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... -Hammer- (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Michael Hallgren (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Mark Andrews (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Lyndon Nerenberg (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... William Herrin (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Valdis . Kletnieks (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Cameron Byrne (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Valdis . Kletnieks (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... -Hammer- (Nov 15)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Charles Morris (Nov 15)