Tony Hain alh-ietf at tndh.net
Sat Nov 1 01:23:36 UTC 2003

Scott McGrath wrote:
> Agreed NAT's do not create security although many customers believe they
> do.  NAT's _are_ extremely useful in hiding network topologies from casual
> inspection.

This is another bogus argument, and clearly you have not done the math on
how long it takes to scan a /64 worth of subnet space. Start by assuming a
/16 per second (which is well beyond what I have found as current
technology) and see how long 2^48 seconds is.

> What I usually recommend to those who need NAT is a stateful firewall in
> front of the NAT.  The rationale being the NAT hides the topology and the
> stateful firewall provides the security boundary.

Obscuring the topology provides absolutely no security either. You are not
alone, as it is frequently a recommended practice, but obscurity != security
no matter how much it is sold as such.


More information about the NANOG mailing list