Security gain from NAT
don at calis.blacksun.org
Wed Jun 6 00:10:59 UTC 2007
> Sure, very easily, by using NAT between the subnets.
Have at it. Nothing like trying to reach 10.10.10.10 nad having to put in
a dns entry pointing to 172.29.10.10, NAT'ing the address on your side to
their side and from their side back to your side, and adding the rules.
That's definitely simpler than allow a -> b for service c.
> Can you clarify this claim? What about managing NAT is allegedly
> difficult. Are you unable to easily map public addresses with private
> addresses on your own networks?
Easily map them? Sure- I can do my external tcpdump, see some funny
traffic, then match that up with the dynamic nat's. That's a lot easier
than just going "oh, hey, it's this user" without any further steps.
I, for one, give up. No matter what you say I will never implement NAT,
and you may or may not implement it if people make boxes that support it.
Clearly neither of us will change our minds so why bother. I'm sure we've
both gotten supportive emails in private and both know we are "right." In
the end it isn't going to change a thing.
More information about the NANOG