Arguing against using public IP space

• Previous message (by thread): Arguing against using public IP space
• Next message (by thread): Arguing against using public IP space
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Doug Barton (dougb) writes:
> On 11/13/2011 13:27, Phil Regnauld wrote:
> > 	That's not exactly correct. NAT doesn't imply firewalling/filtering.
> > 	To illustrate this to customers, I've mounted attacks/scans on
> > 	hosts behind NAT devices, from the interconnect network immediately
> > 	outside: if you can point a route with the ext ip of the NAT device
> > 	as the next hop, it usually just forwards the packets...
> 
> Have you written this up anywhere? It would be absolutely awesome to be
> able to point the "NAT IS A SECURITY FEATURE!!!" crowd to an actual
> demonstration of why it isn't.

	Nope, but I could do a quick tut on how to do this against a natd/pf/
	iptables or IOS with IP overload.

	Arguably in *most* cases your CPE or whatever is NATing is behind
	some upstream device doing ingress filtering, so you still need to
	be compromising a device fairly close to the target network.

	P.

• Previous message (by thread): Arguing against using public IP space
• Next message (by thread): Arguing against using public IP space
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]