Re: Security gain from NAT

North American Network Operators Group

Re: Security gain from NAT

From: Dave Israel
Date: Mon Jun 04 17:05:04 2007

[email protected] wrote:

On Mon, 04 Jun 2007 11:32:39 PDT, Jim Shankland said:

*No* security gain?  No protection against port scans from Bucharest?
No protection for a machine that is used in practice only on the
local, office LAN?  Or to access a single, corporate Web site?


Nope. Zip. Zero. Ziltch.  Nothing over and above what a good properly
configured stateful *non*-NAT firewall should be doing for you already.

What the firewall *should* be doing? The end devices *should* not need protection in the first place, because they *should* be secure as individual devices. But they are not. So you put a firewall in front of them, and that device *should* give them all the protection they need. But sometimes, it doesn't. So you make end devices unaddressable by normal means, and while it shouldn't give them more security, it turns out it does. No matter how much it shouldn't, and how much we wish it didn't, it does.

The difference between theory and practice is that in theory, there is no difference, but in practice, there is.

Follow-Ups:
- Re: Security gain from NAT Fred Baker
- Re: Security gain from NAT Edward B. DREGER

References:
- Re: Cool IPv6 Stuff Owen DeLong
- Cool IPv6 Stuff Jeroen Massar
- Re: Cool IPv6 Stuff Jared Mauch
- Re: Cool IPv6 Stuff Sam Stickland
- Re: Cool IPv6 Stuff Adrian Chadd
- Re: Cool IPv6 Stuff Joel Jaeggli
- Security gain from NAT (was: Re: Cool IPv6 Stuff) Jim Shankland
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Valdis . Kletnieks

Prev by Date: RE: Security gain from NAT
Next by Date: Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)
Date Index
Thread Index
Author Index
Historical