nanog mailing list archives
Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)
From: Owen DeLong <owen () delong com>
Date: Mon, 4 Jun 2007 15:06:11 -0700
On Jun 4, 2007, at 1:41 PM, David Schwartz wrote:
On Jun 4, 2007, at 11:32 AM, Jim Shankland wrote:Owen DeLong <owen () delong com> writes:There's no security gain from not having real IPs on machines. Any belief that there is results from a lack of understanding.This is one of those assertions that gets repeated so often people are liable to start believing it's true :-).Maybe because it _IS_ true.*No* security gain? No protection against port scans from Bucharest?No protection for a machine that is used in practice only on the local, office LAN? Or to access a single, corporate Web site?Correct. There's nothing you get from NAT in that respect that you donot get from good stateful inspection firewalls. NONE whatsoever.Sorry, Owen, but your argument is ridiculous. The original statement was"[t]here's no security gain from not having real IPs on machines". Ifsomeone said, "there's no security gain from locking your doors", would you refute it by arguing that there's no security gain from locking your doorsthat you don't get from posting armed guards round the clock?
Except that's not the argument. The argument would map better to: There's no security gain from having a screen door in front of your door with a lock and dead-bolt on it that you don't get from a door with a lock and dead-bolt on it. I posit that a screen door does not provide any security. A lock and deadbolt provide some security. NAT/PAT is a screen door. Not having public addresses is a screen door. A stateful inspection firewall is a lock and deadbolt. Owen
Attachment:
smime.p7s
Description:
Current thread:
- RE: Security gain from NAT, (continued)
- RE: Security gain from NAT Howard C. Berkowitz (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Owen DeLong (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Colm MacCarthaigh (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Matthew Palmer (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Donald Stahl (Jun 04)
- Re: Security gain from NAT Jason Lewis (Jun 04)
- Re: Security gain from NAT Daniel Senie (Jun 04)
- Re: Security gain from NAT Steven M. Bellovin (Jun 05)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) David Schwartz (Jun 04)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) Donald Stahl (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Owen DeLong (Jun 04)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) David Schwartz (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Matthew Palmer (Jun 04)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) David Schwartz (Jun 05)
- Re: Security gain from NAT Jeff McAdams (Jun 05)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Nicholas Suan (Jun 05)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Nicholas Suan (Jun 04)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) Donald Stahl (Jun 04)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) Edward B. DREGER (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Perry Lorier (Jun 05)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) James Hess (Jun 05)