Security gain from NAT
Matthew Kaufman
matthew at eeph.com
Mon Jun 4 23:31:22 UTC 2007
Leigh Porter wrote:
> Additionally, NATing services on separate machines behind a single NATed
> address anonymises the services behind a single address.
Agreed. It can be very useful to not expose the internal topology
through address assignment so as to not expose which
subnets/desktops/users are accessing certain foreign addresses.
This is an even bigger issue in v6 if your stack exposes the MAC address
in its choice of stateless autoconfiguration address, as this then gives
away not just your internal topology but the vendor of the machines (or
at least the ethernet card maker). One can easily imagine attacks based
on knowing that a vulnerable and hard-to-upgrade embedded system (an
Internet-fax machine, say) was on a particular subnet.
Matthew Kaufman
matthew at eeph.com
More information about the NANOG
mailing list