Security gain from NAT (was: Re: Cool IPv6 Stuff)

David Schwartz davids at webmaster.com
Mon Jun 4 20:41:31 UTC 2007


> On Jun 4, 2007, at 11:32 AM, Jim Shankland wrote:

> > Owen DeLong <owen at delong.com> writes:
> >> There's no security gain from not having real IPs on machines.
> >> Any belief that there is results from a lack of understanding.

> > This is one of those assertions that gets repeated so often people
> > are liable to start believing it's true :-).

> Maybe because it _IS_ true.

> > *No* security gain?  No protection against port scans from Bucharest?
> > No protection for a machine that is used in practice only on the
> > local, office LAN?  Or to access a single, corporate Web site?

> Correct.  There's nothing you get from NAT in that respect that you do
> not get from good stateful inspection firewalls.  NONE whatsoever.

Sorry, Owen, but your argument is ridiculous. The original statement was
"[t]here's no security gain from not having real IPs on machines". If
someone said, "there's no security gain from locking your doors", would you
refute it by arguing that there's no security gain from locking your doors
that you don't get from posting armed guards round the clock?

DS





More information about the NANOG mailing list