North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Security gain from NAT

  • From: Donald Stahl
  • Date: Tue Jun 05 20:12:25 2007

Sure, very easily, by using NAT between the subnets.
Have at it. Nothing like trying to reach nad having to put in a dns entry pointing to, NAT'ing the address on your side to their side and from their side back to your side, and adding the rules. That's definitely simpler than allow a -> b for service c.

Can you clarify this claim?  What about managing NAT is allegedly
difficult.  Are you unable to easily map public addresses with private
addresses on your own networks?
Easily map them? Sure- I can do my external tcpdump, see some funny traffic, then match that up with the dynamic nat's. That's a lot easier than just going "oh, hey, it's this user" without any further steps.

I, for one, give up. No matter what you say I will never implement NAT, and you may or may not implement it if people make boxes that support it. Clearly neither of us will change our minds so why bother. I'm sure we've both gotten supportive emails in private and both know we are "right." In the end it isn't going to change a thing.