misunderstanding scale

William Herrin bill at herrin.us
Mon Mar 24 18:38:53 UTC 2014


On Mon, Mar 24, 2014 at 2:23 PM, Lee Howard <Lee at asgard.org> wrote:
> On 3/24/14 1:37 PM, "William Herrin" <bill at herrin.us> wrote:
>>That would be one of those "details" on which smart people disagree.
>>In this case, I think you're wrong. Modern NAT superseded the
>>transparent proxies and bastion hosts of the '90s because it does the
>>same security job a little more smoothly. And proxies WERE designed to
>>act as a security feature.
>
> What kinds of devices are we talking about here?  Are we talking about the
> default NAT on a home network router, or an enterprise-level NAT operating
> on a firewall?

Hi Lee,

I don't see NAT as a deployment issue for residential networks. Most
folks just hook their computer up to whatever CPE the vendor sends
them without any further attention.


> If we're talking about an enterprise firewall, then I don't
> understand--we're talking about a firewall.  If it implements a symmetric
> NAT in addition to a stateful firewall, then it's implementing the same
> function twice.  But, hey, it's your network, if
> security-through-obscurity is one of your defense in depth layers, that's
> fine.

"Obscurity" offers one or more defense layers. If you disagree, post
your passwords here.

Unaddressibility is a second defense layer.

Stateful firewalling is a third.

You observe that all three are accomplished by the same lines of code
in the firewall. The firewall doesn't exist in a void. It's part of a
system. That system is configured with unroutable addresses or it
isn't. It has many public addresses or it doesn't.

Regards,
Bill Herrin


-- 
William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004



More information about the NANOG mailing list