North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Security gain from NAT
Donald Stahl wrote:
Ever try to set up a VPN between two offices using the same address space?
Sure, very easily, by using NAT between the subnets.
NAT is still evil though, the problems it causes operationally are just plain not worth it.
Stateful inspection provides security benefits.
Jeff McAdams wrote:
But it is correct. Just mangling the addresses in the headers doesn't actually stop anything from getting through, it just means it gets through mangled. The security comes from SI and dropping packets that don't have an active session established from inside, or related.
Perhaps it is difficult to understand this vernacular "NAT" after studying Comer, Stevens et al, but when you've run the equivalent of 'sh conn' regularly for several years the narrow, some would say ivory tower, definition of NAT tends to morph into one based on actual implementations.
Since this mailing list is by and for network operators as opposed to academics perhaps we could ask the later (NANAGs?) to use footnotes(1) to clarify their meaning?
-- Roger Marquis Roble Systems Consulting http://www.roble.com/