Security gain from NAT

• Previous message (by thread): Security gain from NAT (was: Re: Cool IPv6 Stuff)
• Next message (by thread): Security gain from NAT
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I figured SMB would chime in...but his research says it's not so anonymous.

http://illuminati.coralcdn.org/docs/bellovin.fnat.pdf

jas

Colm MacCarthaigh wrote:
> On Mon, Jun 04, 2007 at 11:47:15AM -0700, Owen DeLong wrote:
>   
>>> *No* security gain?  No protection against port scans from Bucharest?
>>> No protection for a machine that is used in practice only on the
>>> local, office LAN?  Or to access a single, corporate Web site?
>>>
>>>       
>> Correct.  There's nothing you get from NAT in that respect that you do
>> not get from good stateful inspection firewalls.  NONE whatsoever.
>>     
>
> Argueably the instant hit of IP source anononymity you get with NAT is a
> security benefit (from the point of view of the user). Of course these
> days there all sorts of fragment and timing analyses that will allow you
> to determine origin commonality behind NAT, but it's nowhere near as
> convenient as a public IP address.
>
> A non-NAT stateful firewall can't simulate that, you need high-rotation
> dhcp or similar to get close. Although IPv6 privacy addresses rock :-)
>
> The argument can go either way, you can spin it as a benefit for the
> network operator ("wow, user activity and problems are now more readily
> identifiable and trackable") or you can see it as an organisational
> privacy issue ("crap, now macrumors can tell that the CEO follows them
> obsessively"). 
>
> NAT is still evil though, the problems it causes operationally are
> just plain not worth it.
>
>   

• Previous message (by thread): Security gain from NAT (was: Re: Cool IPv6 Stuff)
• Next message (by thread): Security gain from NAT
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]