nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Ok; let's have the "Does DNAT contribute to Security" argument one more time...

From: William Herrin <bill () herrin us>
Date: Mon, 14 Nov 2011 19:06:13 -0500
On Mon, Nov 14, 2011 at 6:01 PM, Lyndon Nerenberg <lyndon () orthanc ca> wrote:

But a NAT implementation adds thousands of lines of code to the path the
packets take, and any time you introduce complexity you decrease the overall
security of the system.  And the complexity extends beyond the NAT box.
 Hacking on IPsec, SIP, and lord knows what else to work around address
rewriting adds even more opportunities for something to screw up.

If you want security, you have to DEcrease the number of lines of code in
the switching path, not add to it.


Hi Lyndon,

Counterpoint:

Using two firewalls in serial from two different vendors doubles the
complexity. Yet it almost always improves security: fat fingers on one
firewall rarely repeat the same way on the second and a rogue packet
must pass both.

The same two firewalls in parallel surely reduces security.


Is complexity the enemy of security? In general principle yes, but as
with many things IT DEPENDS.

Regards,
Bill Herrin


-- 
William D. Herrin ................ herrin () dirtside com  bill () herrin us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
Previous By Date Next
Previous By Thread Next

Current thread: