Ok; let's have the "Does DNAT contribute to Security" argument one more time...
Lyndon Nerenberg
lyndon at orthanc.ca
Mon Nov 14 23:01:30 UTC 2011
> There really is no winner or "right way" on this thread. In IPv4 as a
> security guy we have often implemented NAT as an extra layer of obfuscation.
It's worse than just obfuscation. The 'security' side effect of NAT can
typically be implemented by four or five rules in a traditional firewall.
But a NAT implementation adds thousands of lines of code to the path the
packets take, and any time you introduce complexity you decrease the
overall security of the system. And the complexity extends beyond the NAT
box. Hacking on IPsec, SIP, and lord knows what else to work around
address rewriting adds even more opportunities for something to screw up.
If you want security, you have to DEcrease the number of lines of code in
the switching path, not add to it.
Complexity is evil. It's a shame this is no longer taught in computing
courses. And I mean taught as a philosophy, not as a function of line
count or any other bean-counter metrics.
--lyndon
More information about the NANOG
mailing list