Security gain from NAT (was: Re: Cool IPv6 Stuff)
Larry Smith
lesmith at ecsis.net
Mon Jun 4 20:31:00 UTC 2007
On Monday 04 June 2007 13:54, Valdis.Kletnieks at vt.edu wrote:
> On Mon, 04 Jun 2007 11:32:39 PDT, Jim Shankland said:
> > *No* security gain? No protection against port scans from Bucharest?
> > No protection for a machine that is used in practice only on the
> > local, office LAN? Or to access a single, corporate Web site?
>
> Nope. Zip. Zero. Ziltch. Nothing over and above what a good properly
> configured stateful *non*-NAT firewall should be doing for you already.
Cool, then I need four of these firewalls, and two Class-C (512) worth of IP
space that works behind my current ISP at no more than $39.95 each (my basic
price for a Dlink, Netgear, etc cable/dsl router with NAT) with no additional
cost to my monthly internet - and I will start switching over networks...
Yes, I am joking, but the point being that _currently_ NAT serves a purpose;
is supported by lots and lots of little "boxes" that customers can plugin,
configure, and be on the "net" quickly and easily without having to know
about all the "firewall" related stuff; and _does_ do all those neat stateful
things for people that have absolutely no interest in knowing about much less
learning how to make work.
While I agree with the principle being discussed, would that many, many, many
more cable in particular and dsl customers of <Insert-Name-of-Large-ISP> had
such NAT boxes installed and maybe the rest of us would not be getting quite
so much spam from hacked cable/dsl/whatever machines...
--
Larry Smith
SysAd ECSIS.NET
sysad at ecsis.net
More information about the NANOG
mailing list