Is NAT can provide some kind of protection?

Steven Kurylo skurylo+nanog at gmail.com
Wed Jan 12 11:57:51 CST 2011


On Wed, Jan 12, 2011 at 9:36 AM, Jack Bates <jbates at brightok.net> wrote:
>
> As my corp IT guy put it to me, PAT forces a routing disconnect between
> internal and external. There is no way to reach the hosts without the
> firewall performing it's NAT function.

But that's not true.  If you have NAT, without a firewall, I can
access your internal hosts (by addressing their RFC 1918 address)
because you'll be leaking your RFC 1918 addresses in and out.
Granted, I might have to be in your immediate upstream, but it can be
done.

So at best, all it does is limit how many hops away I need to be from
you to attack you.

Some benefit?  Yes.  Enough benefit to be worth the trouble?  I
personally am not convinced.

Considering the amount of people who mistake the amount of security
NAT provides, we're probably better off without it to remove that
false sense of security.




More information about the NANOG mailing list