Where NAT disenfranchises the end-user ...
Scott Gifford
sgifford at tir.com
Mon Sep 10 17:29:58 UTC 2001
Roeland Meyer <rmeyer at mhsc.com> writes:
> |> From: Jared Mauch [mailto:jared at puck.Nether.net]
> |> Sent: Sunday, September 09, 2001 2:49 PM
>
> |> Let me reprhase my inital statement, "In most cases i've seen
> |> where someone is using NAT it's part of a security policy and not due
> |> to lack of available address space".
>
> Jared, those whom depend on an accident, for security, deserve what happens
> when the accident undoes itself. I was just over on www.netcraft.com,
> checking out their stats for the CodeRed worm. I was amazed at how fast IIS
> admins responded by applying the patches. If NAT were suddenly "fixed", any
> incidental security is toast. NAT was never designed for, and was never
> intended as, a security method. Any current protection is strictly the
> result of a side-effect. The side-effect that breaks the internet
> connection. It's a result of the connection being broken. A properly built
> firewall is much more effective and definitely more deterministic. Neither
> is it vulnerable to a "fix patch".
I don't understand what kind of "fix patch" you're talking about
here...NAT uses the same techniques that a stateful firewall uses; if
you can find some kind of "fix patch" to bypass NAT, chances are
excellent it will work on a stateful firewally, too.
I've actually seen the question of how NAT breaks the Internet more
than a good stateful firewall come up more than once, and haven't
really seen a satisfactory answer. Where does a stateful firewall
configured to only allow outgoing connections work that NAT doesn't?
I ask not to drag this discussion on, but because I use NAT for
address conservation and security on a couple networks that I operate,
and am curious if I'd be much better off with something different...
-----ScottG.
More information about the NANOG
mailing list