Security gain from NAT (was: Re: Cool IPv6 Stuff)
owen at delong.com
Mon Jun 4 22:06:11 UTC 2007
On Jun 4, 2007, at 1:41 PM, David Schwartz wrote:
>> On Jun 4, 2007, at 11:32 AM, Jim Shankland wrote:
>>> Owen DeLong <owen at delong.com> writes:
>>>> There's no security gain from not having real IPs on machines.
>>>> Any belief that there is results from a lack of understanding.
>>> This is one of those assertions that gets repeated so often people
>>> are liable to start believing it's true :-).
>> Maybe because it _IS_ true.
>>> *No* security gain? No protection against port scans from
>>> No protection for a machine that is used in practice only on the
>>> local, office LAN? Or to access a single, corporate Web site?
>> Correct. There's nothing you get from NAT in that respect that
>> you do
>> not get from good stateful inspection firewalls. NONE whatsoever.
> Sorry, Owen, but your argument is ridiculous. The original
> statement was
> "[t]here's no security gain from not having real IPs on machines". If
> someone said, "there's no security gain from locking your doors",
> would you
> refute it by arguing that there's no security gain from locking
> your doors
> that you don't get from posting armed guards round the clock?
Except that's not the argument. The argument would map better to:
There's no security gain from having a screen door in front of your
door with a lock and dead-bolt on it that you don't get from a door
with a lock and dead-bolt on it.
I posit that a screen door does not provide any security. A lock and
deadbolt provide some security. NAT/PAT is a screen door.
Not having public addresses is a screen door. A stateful inspection
firewall is a lock and deadbolt.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2481 bytes
Desc: not available
More information about the NANOG