Firewall Wizards mailing list archives
RE: NAT Pseudo Security
From: David Lang <dlang () digitalinsight com>
Date: Wed, 5 May 2004 17:58:12 -0700 (PDT)
The ready availability and deployment of Linux on low end router type devices is makeing it so that when many people talk about the capabilities of NAT they include PAT (port address translation, masquerading, etc) becouse they don't even realize that that this is a different beast then the traditional NAT. (for that matter, for several releases of linux the kernel only knoew how to do PAT, NAT is a relativly recent addition) while egress filtering is important for many reasons, the simple step of blocking inbound connections is a great beginning. David Lang On Wed, 5 May 2004, Frank Knobbe wrote:
On Wed, 2004-05-05 at 02:49, Ben Nagy wrote:Here are Paul, Mike and I rehashing the saaaame argument in 2002, twoyearsafter the thread Mike notes - even with a deja vu reference to theolderthread. Irony. :/Hey Ben, I prefer people pull out old topics and discuss them fresh from time to time. While a FAQ is useful for guiding those that seek knowledge, I think it's very important that we periodically review those things that we hammered in stone a few years ago. The chances that we see it in a different light, or have new thoughts on it, are well worth the rehashing. What was fascinating about this post was that the OP asked if NAT is enough of a security measure, but then began to describe what sounded like a firewall. Apparently there was a disconnect between the concepts of NAT (as in plain-dumb-router-style NAT) and a product that does NAT (like a SOHO firewall). At least that's what how it appeared to me just before I hit CTRL-D. Perhaps I misread the post. Anyhow, let's not complain if someone brings up old topics, but take a minute to look at it again, and either nod approvingly or go "hey, here's a new thought". Remember, the risks of TCP resets were discussed decades ago, and we just now got around to improving router security. :) Cheers, Frank
-- "Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." - Brian W. Kernighan _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- NAT Pseudo Security Lee T. Christie (May 04)
- Re: NAT Pseudo Security Srini (May 04)
- Re: NAT Pseudo Security Mikael Olsson (May 04)
- RE: NAT Pseudo Security Ben Nagy (May 05)
- RE: NAT Pseudo Security Paul D. Robertson (May 05)
- RE: NAT Pseudo Security Frank Knobbe (May 05)
- RE: NAT Pseudo Security Paul D. Robertson (May 05)
- RE: NAT Pseudo Security David Lang (May 06)
- RE: NAT Pseudo Security Ben Nagy (May 05)
- <Possible follow-ups>
- Re: NAT Pseudo Security salgak (May 04)
- VPN testing utility lordchariot (May 04)
- Re: NAT Pseudo Security R. DuFresne (May 05)
- RE: NAT Pseudo Security Melson, Paul (May 04)
- RE: NAT Pseudo Security Sloane, David (May 04)
- RE: NAT Pseudo Security Chris Carlson (May 04)
- RE: NAT Pseudo Security Daniel Chemko (May 06)
- RE: NAT Pseudo Security David Lang (May 06)
- RE: NAT Pseudo Security Melson, Paul (May 06)