North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)
- From: Owen DeLong
- Date: Mon Jun 04 19:23:40 2007
On Jun 4, 2007, at 1:41 PM, David Schwartz wrote:
On Jun 4, 2007, at 11:32 AM, Jim Shankland wrote:
Owen DeLong <[email protected]> writes:
There's no security gain from not having real IPs on machines.
Any belief that there is results from a lack of understanding.
This is one of those assertions that gets repeated so often people
are liable to start believing it's true :-).
Maybe because it _IS_ true.
*No* security gain? No protection against port scans from
Bucharest?
No protection for a machine that is used in practice only on the
local, office LAN? Or to access a single, corporate Web site?
Correct. There's nothing you get from NAT in that respect that
you do
not get from good stateful inspection firewalls. NONE whatsoever.
Sorry, Owen, but your argument is ridiculous. The original
statement was
"[t]here's no security gain from not having real IPs on machines". If
someone said, "there's no security gain from locking your doors",
would you
refute it by arguing that there's no security gain from locking
your doors
that you don't get from posting armed guards round the clock?
Except that's not the argument. The argument would map better to:
There's no security gain from having a screen door in front of your
door with a lock and dead-bolt on it that you don't get from a door
with a lock and dead-bolt on it.
I posit that a screen door does not provide any security. A lock and
deadbolt provide some security. NAT/PAT is a screen door.
Not having public addresses is a screen door. A stateful inspection
firewall is a lock and deadbolt.
Owen
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
|