v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space

Stephen Sprunk stephen at sprunk.org
Fri Feb 6 20:20:40 CST 2009


Roger Marquis wrote:
> Seth Mattinen wrote:
>> Far too many people see NAT as synonymous with a firewall so they 
>> think if you take away their NAT you're taking away the security of a 
>> firewall.
>
> NAT provides some security, often enough to make a firewall 
> unnecessary. It all depends on what's inside the edge device.  But 
> really, I've never heard anyone seriously equate a simple NAT device 
> with a firewall.

You must be very sheltered.  Most end users, even "security" folks at 
major corporations, think a NAT box is a firewall and disabling NAT is 
inherently less secure.  Part of that is factual: NAT (er, dynamic PAT) 
devices are inherently fail-closed because of their design, while a 
firewall might fail open.  Also, NAT prevents some information leakage 
by hiding the internal details of the site's network, and many folks 
place a high value on "security" through obscurity.  This is 
understandable, since the real threats -- uneducated users and flawed 
software -- are ones they have no power to fix.

S

-- 
Stephen Sprunk         "God does not play dice."  --Albert Einstein
CCIE #3723         "God is an inveterate gambler, and He throws the
K5SSS        dice at every possible opportunity." --Stephen Hawking

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20090206/f817868f/attachment.bin>


More information about the NANOG mailing list