Security gain from NAT (was: Re: Cool IPv6 Stuff)
Owen DeLong
owen at delong.com
Mon Jun 4 22:06:11 UTC 2007
On Jun 4, 2007, at 1:41 PM, David Schwartz wrote:
>
>> On Jun 4, 2007, at 11:32 AM, Jim Shankland wrote:
>
>>> Owen DeLong <owen at delong.com> writes:
>>>> There's no security gain from not having real IPs on machines.
>>>> Any belief that there is results from a lack of understanding.
>
>>> This is one of those assertions that gets repeated so often people
>>> are liable to start believing it's true :-).
>
>> Maybe because it _IS_ true.
>
>>> *No* security gain? No protection against port scans from
>>> Bucharest?
>>> No protection for a machine that is used in practice only on the
>>> local, office LAN? Or to access a single, corporate Web site?
>
>> Correct. There's nothing you get from NAT in that respect that
>> you do
>> not get from good stateful inspection firewalls. NONE whatsoever.
>
> Sorry, Owen, but your argument is ridiculous. The original
> statement was
> "[t]here's no security gain from not having real IPs on machines". If
> someone said, "there's no security gain from locking your doors",
> would you
> refute it by arguing that there's no security gain from locking
> your doors
> that you don't get from posting armed guards round the clock?
Except that's not the argument. The argument would map better to:
There's no security gain from having a screen door in front of your
door with a lock and dead-bolt on it that you don't get from a door
with a lock and dead-bolt on it.
I posit that a screen door does not provide any security. A lock and
deadbolt provide some security. NAT/PAT is a screen door.
Not having public addresses is a screen door. A stateful inspection
firewall is a lock and deadbolt.
Owen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2481 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20070604/a5740153/attachment.bin>
More information about the NANOG
mailing list