North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Where NAT disenfranchises the end-user ...
Roeland Meyer <[email protected]> writes: > |> From: Jared Mauch [mailto:[email protected]] > |> Sent: Sunday, September 09, 2001 2:49 PM > > |> Let me reprhase my inital statement, "In most cases i've seen > |> where someone is using NAT it's part of a security policy and not due > |> to lack of available address space". > > Jared, those whom depend on an accident, for security, deserve what happens > when the accident undoes itself. I was just over on www.netcraft.com, > checking out their stats for the CodeRed worm. I was amazed at how fast IIS > admins responded by applying the patches. If NAT were suddenly "fixed", any > incidental security is toast. NAT was never designed for, and was never > intended as, a security method. Any current protection is strictly the > result of a side-effect. The side-effect that breaks the internet > connection. It's a result of the connection being broken. A properly built > firewall is much more effective and definitely more deterministic. Neither > is it vulnerable to a "fix patch". I don't understand what kind of "fix patch" you're talking about here...NAT uses the same techniques that a stateful firewall uses; if you can find some kind of "fix patch" to bypass NAT, chances are excellent it will work on a stateful firewally, too. I've actually seen the question of how NAT breaks the Internet more than a good stateful firewall come up more than once, and haven't really seen a satisfactory answer. Where does a stateful firewall configured to only allow outgoing connections work that NAT doesn't? I ask not to drag this discussion on, but because I use NAT for address conservation and security on a couple networks that I operate, and am curious if I'd be much better off with something different... -----ScottG.