misunderstanding scale

William Herrin bill at herrin.us
Mon Mar 24 18:38:53 UTC 2014

On Mon, Mar 24, 2014 at 2:23 PM, Lee Howard <Lee at asgard.org> wrote:
> On 3/24/14 1:37 PM, "William Herrin" <bill at herrin.us> wrote:
>>That would be one of those "details" on which smart people disagree.
>>In this case, I think you're wrong. Modern NAT superseded the
>>transparent proxies and bastion hosts of the '90s because it does the
>>same security job a little more smoothly. And proxies WERE designed to
>>act as a security feature.
> What kinds of devices are we talking about here?  Are we talking about the
> default NAT on a home network router, or an enterprise-level NAT operating
> on a firewall?

Hi Lee,

I don't see NAT as a deployment issue for residential networks. Most
folks just hook their computer up to whatever CPE the vendor sends
them without any further attention.

> If we're talking about an enterprise firewall, then I don't
> understand--we're talking about a firewall.  If it implements a symmetric
> NAT in addition to a stateful firewall, then it's implementing the same
> function twice.  But, hey, it's your network, if
> security-through-obscurity is one of your defense in depth layers, that's
> fine.

"Obscurity" offers one or more defense layers. If you disagree, post
your passwords here.

Unaddressibility is a second defense layer.

Stateful firewalling is a third.

You observe that all three are accomplished by the same lines of code
in the firewall. The firewall doesn't exist in a void. It's part of a
system. That system is configured with unroutable addresses or it
isn't. It has many public addresses or it doesn't.

Bill Herrin

William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

More information about the NANOG mailing list