Security gain from NAT (was: Re: Cool IPv6 Stuff)

Mon Jun 4 22:06:11 UTC 2007

On Jun 4, 2007, at 1:41 PM, David Schwartz wrote:

>
>> On Jun 4, 2007, at 11:32 AM, Jim Shankland wrote:
>
>>> Owen DeLong <owen at delong.com> writes:
>>>> There's no security gain from not having real IPs on machines.
>>>> Any belief that there is results from a lack of understanding.
>
>>> This is one of those assertions that gets repeated so often people
>>> are liable to start believing it's true :-).
>
>> Maybe because it _IS_ true.
>
>>> *No* security gain?  No protection against port scans from  
>>> Bucharest?
>>> No protection for a machine that is used in practice only on the
>>> local, office LAN?  Or to access a single, corporate Web site?
>
>> Correct.  There's nothing you get from NAT in that respect that  
>> you do
>> not get from good stateful inspection firewalls.  NONE whatsoever.
>
> Sorry, Owen, but your argument is ridiculous. The original  
> statement was
> "[t]here's no security gain from not having real IPs on machines". If
> someone said, "there's no security gain from locking your doors",  
> would you
> refute it by arguing that there's no security gain from locking  
> your doors
> that you don't get from posting armed guards round the clock?

Except that's not the argument.  The argument would map better to:

There's no security gain from having a screen door in front of your
door with a lock and dead-bolt on it that you don't get from a door
with a lock and dead-bolt on it.

I posit that a screen door does not provide any security. A lock and
deadbolt provide some security.  NAT/PAT is a screen door.
Not having public addresses is a screen door.  A stateful inspection
firewall is a lock and deadbolt.

Owen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2481 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20070604/a5740153/attachment.bin>