Firewall Wizards mailing list archives
RE: Free NAT for NT?
From: "Garman, Christopher" <GarmanCh () asa org>
Date: Fri, 10 Sep 1999 09:56:28 -0600
I'll join the pummeling. The funniest part of the anti-NAT paper is "it requires the insertion of a stateful inspection box into the middle of the end-to-end data stream. Only end systems should have state info." Current industry practice is to insert a firewall between you and the internet. A firewall (a good one, anyway) is a stateful inspection box. People are already committing the hardware/software/grayware to the implementation of a stateful inspection box in the middle of the end-to-end data stream so making the jump to NAT is not nearly a big a deal as the anti-NAT paper makes out. There are numerous other weaknesses in their arguments but who's got the time? People are using NAT, its working, get over it.
-----Original Message----- From: LeGrow, Matt [SMTP:Matt_LeGrow () NAI com] Sent: Wednesday, September 08, 1999 10:30 AM To: 'Carl Brewer'; firewall-wizards () nfr net Subject: RE: Free NAT for NT? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Carl, The IETF draft on the architectural implications of NAT sounds like a lot of Chicken Little-type rhetoric to me. The author's arguments against NAT, such as - - "inhibiting security at the IP layer" (a solution that has been debated due to questions of efficiency and router workload from the very inception of the IPng protocol - after all, the streamlined header design is supposed to DECREASE router load) - - "encouraging casual use of private addresses can cause namespace collisions with VPNs that have to traverse multiple NATs" (can be overcome with a reasonable degree of overall architecture and design, such as two VPN endpoints subnetting their private namespace) - - "breaking the end-to-end flexibility of the Internet model" (between individual corporate networks, sure - thats the IDEA - noone is suggesting we stick a big PIX box between a couple major NAPs) seem to have resonable answers once you stop waving your hands over your head. Personally the first time I brought my house LAN onto the internet securely and in less than five minutes with a spare 486 and Linux IP Masquerading I was thanking the gods for NAT, and wondering why NT didn't have the same. Matt LeGrow Network Associates, Inc. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Note : Opinions expressed herein are most certainly NOT that of my employer :-) - -----Original Message----- From: Carl Brewer [mailto:carl () bl echidna id au] Sent: Tuesday, September 07, 1999 6:42 PM To: firewall-wizards () nfr net Subject: Re: Free NAT for NT? I'm not coming down on Robert here! <rant> It's a shame that M$ are providing NAT, which even they know is a bad technology (it was a M$ employee that wrote the IETF case against NAT), and not IPv6. Please don't lose focus! NAT is a short-term ugly broken hack, push your vendor(s) for IPv6 support! http://www.ietf.org/internet-drafts/draft-iab-nat-implications-04.txt http://www.ietf.org/internet-drafts-ietf-iab-case-for-ipv6-04.txt If you're using, or worse, planning to use, NAT and you haven't read the above two documents, read them :) </rant> CarlFrom owner-firewall-wizards () lists nfr net Wed Sep 8 08:32 EST 1999 Date: Mon, 6 Sep 1999 14:20:07 -0700 (PDT) From: Robert Graham <robert_david_graham () yahoo com> Subject: Re: Free NAT for NT? To: Ryan Russell <Ryan.Russell () sybase com>, firewall-wizards () nfr net MIME-Version: 1.0 The new "Connection Sharing" feature in Win98 SE and Windows 2000 is based upon NAT (created by a company called Nevod that was bought by M$, used to be called NAT1000). In essence, this means that every Win98/Win2K is/will-be shipping with a NAT. Check out these links: http://www.uq.net.au/~zzdmacka/the-nat-page/nat_windows.html http://www.alumni.caltech.edu/~dank/peer-nat.html Recently, I setup a Win2k "connection sharing" NAT and was able to port scan the one machine behind it. Doesn't seem right. Anybody have experience with this? Rob. --- Ryan Russell <Ryan.Russell () sybase com> wrote:Anyone aware of any free Network Address Translation (NAT) software for Windows NT? I'm writing a chapter on NAT, and the publisher is calling for examples in Linux, Cisco IOS, and NT. The first two are easy, but I'm only aware of commercial solutions for NT. (No, I'm not under the impression that the Cisco implementation is free, but since there is only one choice, it's a bit of a moot point.) I prefer free solutions, so that readers can obtain and play with the technology more easily. Barring that, I'll go after low-cost, or possibly higher-cost but with downloadable demo. Ryan=== Robert Graham "Anxiously awaiting the millenium so I can start programming dates with 2-digits again." __________________________________________________ Do You Yahoo!? Bid and sell for free at http://auctions.yahoo.com-----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 Comment: Crypto Provided by Network Associates <http://www.nai.com> iQA/AwUBN9aO9hzV4nRUHFtQEQL14wCcCm0xMyGhSAgCkBOGKwacxuJ51zoAn2Uq IRwB0ipz9o6yaMb7nJtUl1Ba =dr4w -----END PGP SIGNATURE-----
Current thread:
- Re: Free NAT for NT?, (continued)
- Re: Free NAT for NT? Robert Graham (Sep 07)
- Re: Free NAT for NT? dwelch (Sep 07)
- Re: Free NAT for NT? Carl Brewer (Sep 07)
- Re: Free NAT for NT? Darren Reed (Sep 08)
- Re: Free NAT for NT? Tyler Singletary (Sep 08)
- Re: Free NAT for NT? Mikael Olsson (Sep 08)
- Re: Free NAT for NT? Darren Reed (Sep 09)
- RE: Free NAT for NT? LeGrow, Matt (Sep 08)
- Re: Free NAT for NT? Steven M. Bellovin (Sep 09)
- RE: Free NAT for NT? dwelch (Sep 10)
- RE: Free NAT for NT? Garman, Christopher (Sep 10)