Arguing against using public IP space

-Hammer- bhmccie at gmail.com
Wed Nov 16 17:13:18 UTC 2011


"NAT neither provides nor contributes to security.
NAT detracts from security by destroying audit trails and 
interrupting/obfuscating
attack source identification, forensics, etc."

Respectfully, I'm really struggling with this. Sentence one is an 
opinion. It's all a matter of the designers viewpoint. Step 1 in most 
security books is to not reveal ANYTHING to ANYONE that you don't have 
to. Taken to the extreme, that could include your network layout and 
native addressing schema.

Sentence two is wrong. If employing NAT breaks your audit trail or 
interferes with your forensics then you need to address your 
audit/forensics method. We have correlation engines that track the 
"state" of a conversation (defined as multiple TCP sessions in series) 
thru our secure architecture. We can 100% tell you the public IP of a 
session whether it's the destination or source and whether it's been 
NATted once or three or four times. We have 
cookies/sessionIDs/JSessionIDs/ and Xforwarders we manipulate to allow 
the application layer to manage the proper source of the client as well. 
These are proven technologies that have been around for a decade. They 
have stood up in court and been used against bad guys w/o question. 
While I agree that this is an extra layer of complexity, the focus is to 
make in manageable.

I'm not saying you are flat out wrong Owen. I am saying that it's all a 
matter of your viewpoint.

-Hammer-

"I was a normal American nerd"
-Jack Herer



On 11/16/2011 10:44 AM, Owen DeLong wrote:
> NAT neither provides nor contributes to security.
>
> NAT detracts from security by destroying audit trails and interrupting/obfuscating
> attack source identification, forensics, etc.
>    



More information about the NANOG mailing list