Security gain from NAT (was: Re: Cool IPv6 Stuff)
don at calis.blacksun.org
Mon Jun 4 21:45:42 UTC 2007
> Sorry, Owen, but your argument is ridiculous. The original statement was
> "[t]here's no security gain from not having real IPs on machines". If
> someone said, "there's no security gain from locking your doors", would you
> refute it by arguing that there's no security gain from locking your doors
> that you don't get from posting armed guards round the clock?
You're argument is equally ridiculous because in order to work the NAT box
has to do stateful inspection anyway!
A better statement would be:
"there's no security gain from locking your doors" (NAT), if you have
already posted "armed guards round the clock" (Stateful Inspection)
NAT provides protection in the case where you have a stateful inspection
firewall that fails open- something that no serious firewall I have ever
seen does. If they aren't doing stateful inspection- then they aren't
routing at all (or certainly shouldn't be).
More information about the NANOG