Addressing plan exercise for our IPv6 course
Owen DeLong
owen at delong.com
Fri Jul 23 15:33:19 UTC 2010
On Jul 23, 2010, at 2:50 AM, Jens Link wrote:
> Owen DeLong <owen at delong.com> writes:
>
>> In all reality:
>>
>> 1. NAT has nothing to do with security. Stateful inspection provides
>> security, NAT just mangles addresses.
>
> You know that, I know that and (hopefully) all people on this list know
> that. But NAT == security was and still is sold by many people.
>
So is snake oil.
>> Most customers don't know or care what NAT is and wouldn't know the
>> difference between a NAT firewall and a stateful inspection firewall.
>
> I Agree. But there are also many people who want to believe in NAT as
> security feature.
>
> After one of my talks about IPv6 the firewall admins of a company said
> something like: "So we can't use NAT as an excuse anymore and have to
> configure firewall rules? We don't want this."
>
So how did you answer him?
The correct answer is "No, you don't have to configure rules, you just need
one rule supplied by default which denies anything that doesn't have a
corresponding outbound entry in the state table and it works just like NAT
without the address mangling".
In my experience, other than a small handful of religious zealots, that
explanation is sufficient to get the point across to most such admins.
Owen
More information about the NANOG
mailing list