Arguing against using public IP space
Chuck Church
chuckchurch at gmail.com
Sun Nov 13 22:43:46 UTC 2011
When you all say NAT, are you implying PAT as well? 1 to 1 NAT really
provides no security. But with PAT, different story. Are there poor
implementations of PAT that don't enforce an exact port/address match for
the translation table? If the translation table isn't at fault, are the
'helpers' that allow ftp to work passively to blame?
Chuck
-----Original Message-----
From: Doug Barton [mailto:dougb at dougbarton.us]
Sent: Sunday, November 13, 2011 4:49 PM
To: Phil Regnauld
Cc: nanog at nanog.org
Subject: Re: Arguing against using public IP space
On 11/13/2011 13:27, Phil Regnauld wrote:
> That's not exactly correct. NAT doesn't imply firewalling/filtering.
> To illustrate this to customers, I've mounted attacks/scans on
> hosts behind NAT devices, from the interconnect network immediately
> outside: if you can point a route with the ext ip of the NAT device
> as the next hop, it usually just forwards the packets...
Have you written this up anywhere? It would be absolutely awesome to be able
to point the "NAT IS A SECURITY FEATURE!!!" crowd to an actual demonstration
of why it isn't.
Doug
--
"We could put the whole Internet into a book."
"Too practical."
Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/
More information about the NANOG
mailing list