North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Security gain from NAT (was: Re: Cool IPv6 Stuff)

  • From: Tony Hain
  • Date: Mon Jun 04 16:10:49 2007

Jim Shankland wrote:
> Owen DeLong <[email protected]> writes:
> > There's no security gain from not having real IPs on machines.
> > Any belief that there is results from a lack of understanding.
> 
> This is one of those assertions that gets repeated so often people
> are liable to start believing it's true :-).
> 
> *No* security gain?  No protection against port scans from Bucharest?
> No protection for a machine that is used in practice only on the
> local, office LAN?  Or to access a single, corporate Web site?
> 
> Shall I do the experiment again where I set up a Linux box
> at an RFC1918 address, behind a NAT device, publish the root
> password of the Linux box and its RFC1918 address, and invite
> all comers to prove me wrong by showing evidence that they've
> successfully logged into the Linux box?  When I last did this,
> I got a handful of emails, some quite snide, suggesting I was
> some combination of ignorant, stupid, and reckless; the Linux
> box for some reason remained unmolested.
> 
> Jim Shankland

Mangling the header did nothing for 'security'. The lack of state at the
network edge is the security tool here. A firewall provides that state
function without the side effect of header mangling. 

If you really believe in your 1918/nat providing security, do the experiment
you propose above, but put in a state mapping for the public address of the
nat to the 1918 address of your Linux box. 

Tony