North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: IPv6 NAT
Scott McGrath wrote: > Agreed NAT's do not create security although many customers believe they > do. NAT's _are_ extremely useful in hiding network topologies from casual > inspection. This is another bogus argument, and clearly you have not done the math on how long it takes to scan a /64 worth of subnet space. Start by assuming a /16 per second (which is well beyond what I have found as current technology) and see how long 2^48 seconds is. > > What I usually recommend to those who need NAT is a stateful firewall in > front of the NAT. The rationale being the NAT hides the topology and the > stateful firewall provides the security boundary. Obscuring the topology provides absolutely no security either. You are not alone, as it is frequently a recommended practice, but obscurity != security no matter how much it is sold as such. Tony
|