North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Security gain from NAT (was: Re: Cool IPv6 Stuff)
Jim Shankland wrote: > Owen DeLong <[email protected]> writes: > > There's no security gain from not having real IPs on machines. > > Any belief that there is results from a lack of understanding. > > This is one of those assertions that gets repeated so often people > are liable to start believing it's true :-). > > *No* security gain? No protection against port scans from Bucharest? > No protection for a machine that is used in practice only on the > local, office LAN? Or to access a single, corporate Web site? > > Shall I do the experiment again where I set up a Linux box > at an RFC1918 address, behind a NAT device, publish the root > password of the Linux box and its RFC1918 address, and invite > all comers to prove me wrong by showing evidence that they've > successfully logged into the Linux box? When I last did this, > I got a handful of emails, some quite snide, suggesting I was > some combination of ignorant, stupid, and reckless; the Linux > box for some reason remained unmolested. > > Jim Shankland Mangling the header did nothing for 'security'. The lack of state at the network edge is the security tool here. A firewall provides that state function without the side effect of header mangling. If you really believe in your 1918/nat providing security, do the experiment you propose above, but put in a state mapping for the public address of the nat to the 1918 address of your Linux box. Tony
|