v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space
Stephen Sprunk
stephen at sprunk.org
Sat Feb 7 02:20:40 UTC 2009
Roger Marquis wrote:
> Seth Mattinen wrote:
>> Far too many people see NAT as synonymous with a firewall so they
>> think if you take away their NAT you're taking away the security of a
>> firewall.
>
> NAT provides some security, often enough to make a firewall
> unnecessary. It all depends on what's inside the edge device. But
> really, I've never heard anyone seriously equate a simple NAT device
> with a firewall.
You must be very sheltered. Most end users, even "security" folks at
major corporations, think a NAT box is a firewall and disabling NAT is
inherently less secure. Part of that is factual: NAT (er, dynamic PAT)
devices are inherently fail-closed because of their design, while a
firewall might fail open. Also, NAT prevents some information leakage
by hiding the internal details of the site's network, and many folks
place a high value on "security" through obscurity. This is
understandable, since the real threats -- uneducated users and flawed
software -- are ones they have no power to fix.
S
--
Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20090206/f817868f/attachment.bin>
More information about the NANOG
mailing list