Arguing against using public IP space

Owen DeLong owen at delong.com
Tue Nov 15 15:32:37 UTC 2011


On Nov 15, 2011, at 2:57 AM, Leigh Porter wrote:

> 
> 
> On 14 Nov 2011, at 18:52, "McCall, Gabriel" <Gabriel.McCall at thyssenkrupp.com> wrote:
> 
>> Chuck, you're right that this should not happen- but the reason it should not happen is because you have a properly functioning stateful firewall, not because you're using NAT. If your firewall is working properly, then having public addresses behind it is no less secure than private. And if your firewall is not working properly, then having private addresses behind it is no more secure than public. In either case, NAT gains you nothing over what you'd have with a firewalled public-address subnet.
> 
> 
> Well this is not quite true, is it.. If your firewall is not working and you have private space internally then you are a lot better off then if you have public space internally! So if your firewall is not working then having private space on one side is a hell of a lot more secure!
> 
This is not true.

If your firewall is not working, it should not be passing packets.

If you put a router where you needed a firewall, then, this is not a failure of the firewall, but, a
failure of the network implementor and the address space will not have any impact whatsoever
on your lack of security.

> As somebody else mentioned on this thread, a NAT box with private space on one side fails closed.
> 

So does a firewall.

Owen





More information about the NANOG mailing list