Security gain from NAT (was: Re: Cool IPv6 Stuff)
Tony Hain
alh-ietf at tndh.net
Mon Jun 4 19:12:18 UTC 2007
Jim Shankland wrote:
> Owen DeLong <owen at delong.com> writes:
> > There's no security gain from not having real IPs on machines.
> > Any belief that there is results from a lack of understanding.
>
> This is one of those assertions that gets repeated so often people
> are liable to start believing it's true :-).
>
> *No* security gain? No protection against port scans from Bucharest?
> No protection for a machine that is used in practice only on the
> local, office LAN? Or to access a single, corporate Web site?
>
> Shall I do the experiment again where I set up a Linux box
> at an RFC1918 address, behind a NAT device, publish the root
> password of the Linux box and its RFC1918 address, and invite
> all comers to prove me wrong by showing evidence that they've
> successfully logged into the Linux box? When I last did this,
> I got a handful of emails, some quite snide, suggesting I was
> some combination of ignorant, stupid, and reckless; the Linux
> box for some reason remained unmolested.
>
> Jim Shankland
Mangling the header did nothing for 'security'. The lack of state at the
network edge is the security tool here. A firewall provides that state
function without the side effect of header mangling.
If you really believe in your 1918/nat providing security, do the experiment
you propose above, but put in a state mapping for the public address of the
nat to the 1918 address of your Linux box.
Tony
More information about the NANOG
mailing list