Ok; let's have the "Does DNAT contribute to Security" argument one more time...

William Herrin bill at herrin.us
Tue Nov 15 00:06:13 UTC 2011


On Mon, Nov 14, 2011 at 6:01 PM, Lyndon Nerenberg <lyndon at orthanc.ca> wrote:
> But a NAT implementation adds thousands of lines of code to the path the
> packets take, and any time you introduce complexity you decrease the overall
> security of the system.  And the complexity extends beyond the NAT box.
>  Hacking on IPsec, SIP, and lord knows what else to work around address
> rewriting adds even more opportunities for something to screw up.
>
> If you want security, you have to DEcrease the number of lines of code in
> the switching path, not add to it.

Hi Lyndon,

Counterpoint:

Using two firewalls in serial from two different vendors doubles the
complexity. Yet it almost always improves security: fat fingers on one
firewall rarely repeat the same way on the second and a rogue packet
must pass both.

The same two firewalls in parallel surely reduces security.


Is complexity the enemy of security? In general principle yes, but as
with many things IT DEPENDS.

Regards,
Bill Herrin


-- 
William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004




More information about the NANOG mailing list