Addressing plan exercise for our IPv6 course

• Previous message (by thread): Addressing plan exercise for our IPv6 course
• Next message (by thread): Addressing plan exercise for our IPv6 course
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Jul 23, 2010, at 2:50 AM, Jens Link wrote:

> Owen DeLong <owen at delong.com> writes:
> 
>> In all reality:
>> 
>> 1.	NAT has nothing to do with security. Stateful inspection provides
>> 	security, NAT just mangles addresses.
> 
> You know that, I know that and (hopefully) all people on this list know
> that. But NAT == security was and still is sold by many people. 
> 
So is snake oil.

>> Most customers don't know or care what NAT is and wouldn't know the
>> difference between a NAT firewall and a stateful inspection firewall.
> 
> I Agree. But there are also many people who want to believe in NAT as
> security feature.
> 
> After one of my talks about IPv6 the firewall admins of a company said
> something like: "So we can't use NAT as an excuse anymore and have to
> configure firewall rules? We don't want this."
> 
So how did you answer him?

The correct answer is "No, you don't have to configure rules, you just need
one rule supplied by default which denies anything that doesn't have a
corresponding outbound entry in the state table and it works just like NAT
without the address mangling".

In my experience, other than a small handful of religious zealots, that
explanation is sufficient to get the point across to most such admins.

Owen

• Previous message (by thread): Addressing plan exercise for our IPv6 course
• Next message (by thread): Addressing plan exercise for our IPv6 course
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]