nanog mailing list archives
Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time...
From: Lyndon Nerenberg <lyndon () orthanc ca>
Date: Mon, 14 Nov 2011 15:01:30 -0800 (PST)
There really is no winner or "right way" on this thread. In IPv4 as a security guy we have often implemented NAT as an extra layer of obfuscation.
It's worse than just obfuscation. The 'security' side effect of NAT can typically be implemented by four or five rules in a traditional firewall.
But a NAT implementation adds thousands of lines of code to the path the packets take, and any time you introduce complexity you decrease the overall security of the system. And the complexity extends beyond the NAT box. Hacking on IPsec, SIP, and lord knows what else to work around address rewriting adds even more opportunities for something to screw up.
If you want security, you have to DEcrease the number of lines of code in the switching path, not add to it.
Complexity is evil. It's a shame this is no longer taught in computing courses. And I mean taught as a philosophy, not as a function of line count or any other bean-counter metrics.
--lyndon
Current thread:
- Ok; let's have the "Does DNAT contribute to Security" argument one more time... Jay Ashworth (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Valdis . Kletnieks (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Jay Ashworth (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Michael Painter (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Jay Ashworth (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Rubens Kuhl (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... -Hammer- (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Michael Hallgren (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Mark Andrews (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Lyndon Nerenberg (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... William Herrin (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Valdis . Kletnieks (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Cameron Byrne (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Valdis . Kletnieks (Nov 14)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... -Hammer- (Nov 15)
- Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time... Charles Morris (Nov 15)