North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Where NAT disenfranchises the end-user ...

  • From: Scott Gifford
  • Date: Mon Sep 10 13:33:19 2001

Roeland Meyer <[email protected]> writes:

> |> From: Jared Mauch [mailto:[email protected]]
> |> Sent: Sunday, September 09, 2001 2:49 PM
> |> 	Let me reprhase my inital statement, "In most cases i've seen
> |> where someone is using NAT it's part of a security policy and not due
> |> to lack of available address space".
> Jared, those whom depend on an accident, for security, deserve what happens
> when the accident undoes itself. I was just over on,
> checking out their stats for the CodeRed worm. I was amazed at how fast IIS
> admins responded by applying the patches. If NAT were suddenly "fixed", any
> incidental security is toast. NAT was never designed for, and was never
> intended as, a security method. Any current protection is strictly the
> result of a side-effect. The side-effect that breaks the internet
> connection. It's a result of the connection being broken. A properly built
> firewall is much more effective and definitely more deterministic. Neither
> is it vulnerable to a "fix patch".

I don't understand what kind of "fix patch" you're talking about
here...NAT uses the same techniques that a stateful firewall uses; if
you can find some kind of "fix patch" to bypass NAT, chances are
excellent it will work on a stateful firewally, too.

I've actually seen the question of how NAT breaks the Internet more
than a good stateful firewall come up more than once, and haven't
really seen a satisfactory answer.  Where does a stateful firewall
configured to only allow outgoing connections work that NAT doesn't?

I ask not to drag this discussion on, but because I use NAT for
address conservation and security on a couple networks that I operate,
and am curious if I'd be much better off with something different...