Is NAT can provide some kind of protection?
Jeff Kell
jeff-kell at utc.edu
Wed Jan 12 20:58:56 UTC 2011
On 1/12/2011 2:57 PM, Owen DeLong wrote:
>> Try this at home, with/without NAT:
>>
>> 1. Buy a new PC with Windows installed
>> 2. Install all security patches needed since the OS was installed
>>
>> Without NAT, you're unpatched PC will get infected in less than 1 minute.
> Wrong.
> Repeat the experiment with stateful firewall with default inbound deny and no NAT.
> Yep... Same results as NAT.
Now let that laptop (or another one on the home subnet) show up with
Bridging or Internet Connection Sharing enabled with wired/wireless
connections and see what you get. Still maybe OK if it's the "host"
firewall, and it's turned on, and it's not domain-joined with the local
subnet allowed, etc., but that was post-SP2 and assumes some malware [or
the user] hasn't turned it off.
NAT+RFC1918 = no accidental leakage/bridging (yes, they could spoof
RFC1918 destinations, assuming they get routed all the way to the
endpoint... but that's a bigger "if" than a public address)
"Perfect stateful firewall with perfect default inbound deny and no
other variables thrown in the mix" and yes, but it's breakable in
contrast to the NAT+RFC1918 case.
There is something to be said for "unreachable" (i.e., "not in your
forwarding table") -- else the VPN / VRF / MPLS / etc folks wouldn't
have a leg to stand on :-)
With that said, this isn't a one-size-fits-all, everybody's perfect
solution. We've covered the gamut from home CPE to server farms here,
with the original question being about a DMZ case. They are however
legitimate security layers applied to certain cloves of this particular
bulb of garlic (a more appropriate model than the homogeneous "onion") :-)
Jeff
More information about the NANOG
mailing list