North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)
> From [email protected] Mon Jun 4 13:54:55 2007 > Subject: Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) > Date: Mon, 4 Jun 2007 14:47:06 -0400 > > On 4-Jun-2007, at 14:32, Jim Shankland wrote: > > > Shall I do the experiment again where I set up a Linux box > > at an RFC1918 address, behind a NAT device, publish the root > > password of the Linux box and its RFC1918 address, and invite > > all comers to prove me wrong by showing evidence that they've > > successfully logged into the Linux box? > > Perhaps you should run a corresponding experiment whereby you set up > a linux box with a globally-unique address, put it behind a firewall > which blocks all incoming traffic to that box, and issue a similar > invitation. > > Do you think the results will be different? Consider the possible *FAILURE* modes. e.g. (1) where somebody brings up _another_ path between the LAN that that box is onn, and the public internet, with no translations or other protections whatsoever. (2) where the 'protection box' "fails open" -- e.g. passes all traffic without modification. NAT/PAT is 'belt and suspenders', but it *does* provide an additional layer of protection, _if_the_primary_protection_fails_. That 'additional protection' may or may not be 'significant', depending on one's viewpoint.
|