North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)
- From: Dorn Hetzel
- Date: Mon Jun 04 18:38:37 2007
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=eimRAp1ZPGxIr8EJLEGpBFvNc9AJ7BeIyxOn9gz3bG9N+Ki5K1zizwZv1vob9S7LVtMzIQBMMUI6qF7WDrTPLRBuw+SxdiJk3xRjART49DOtPZsGIROiBx0RtMe8NRtGbsdecqMTpKCMwtwqbOJmC6BijFXTfZKQB8+uV2oCwy8=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=sfeFcSMHo7Zr4m6g0Aw8H3JSAHqUxowMv1IYSArSeXHS0EUHpKMaUYkX6IcX4b1vOL2baJ6LaV0aPSOjRFMR17YQSmAQsQb5B6aGS1nP4vWjsETwDojiTMVcGVYSvM6rFt937jMBQP/s2eoUlOZqT4JCGZzihDtMbXWCXueGUYw=
Sure, NAT can't prevent users from running with scissors, but sometimes it does block the scissors thrown at the back of their neck whilst they are sleeping :)
On 6/4/07, [email protected] <[email protected]> wrote:
On Mon, 04 Jun 2007 12:20:38 PDT, Jim Shankland said:
> I can't pass over Valdis's statement that a "good properly configured
> stateful firewall should be doing [this] already" without noting > that on today's Internet, the gap between "should" and "is" is > often large.
Let's not forget all the NAT boxes out there that are *perfectly* willing
to let a system make an *outbound* connection. So the user makes a first outbound connection to visit a web page, gets exploited, and the exploit then phones home to download more malware.
Yeah, that NAT *should* be providing security, but as you point out, there's
that big gap between should and is... :)
|