Security gain from NAT (was: Re: Cool IPv6 Stuff)
Owen DeLong
owen at delong.com
Mon Jun 4 18:47:15 UTC 2007
On Jun 4, 2007, at 11:32 AM, Jim Shankland wrote:
> Owen DeLong <owen at delong.com> writes:
>> There's no security gain from not having real IPs on machines.
>> Any belief that there is results from a lack of understanding.
>
> This is one of those assertions that gets repeated so often people
> are liable to start believing it's true :-).
>
Maybe because it _IS_ true.
> *No* security gain? No protection against port scans from Bucharest?
> No protection for a machine that is used in practice only on the
> local, office LAN? Or to access a single, corporate Web site?
>
Correct. There's nothing you get from NAT in that respect that you do
not get from good stateful inspection firewalls. NONE whatsoever.
> Shall I do the experiment again where I set up a Linux box
> at an RFC1918 address, behind a NAT device, publish the root
> password of the Linux box and its RFC1918 address, and invite
> all comers to prove me wrong by showing evidence that they've
> successfully logged into the Linux box? When I last did this,
> I got a handful of emails, some quite snide, suggesting I was
> some combination of ignorant, stupid, and reckless; the Linux
> box for some reason remained unmolested.
That doesn't prove that NAT had anything to do with the security.
NAT implies stateful inspection. I could conduct the exact same
experiment with a Linux box behind a stateful inspection firewall
with legitimate addresses and achieve the exact same result.
NAT did nothing for you. Stateful inspection is where you got your
security. I'm so tired of people who fail to understand that NAT has
nothing to do with security, because they forget that stateful
inspection
is required in order to make NAT work. However, NAT is not required
for stateful inspection to work.
Owen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2481 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20070604/007d353f/attachment.bin>
More information about the NANOG
mailing list