nanog mailing list archives
Re: mh (RE: OMB: IPv6 by June 2008)
From: Crist Clark <crist.clark () globalstar com>
Date: Fri, 08 Jul 2005 14:13:41 -0700
Jay R. Ashworth wrote:
On Fri, Jul 08, 2005 at 01:15:42PM -0400, David Andersen wrote:On Jul 8, 2005, at 12:49 PM, Jay R. Ashworth wrote:On Thu, Jul 07, 2005 at 01:31:57PM -0700, Crist Clark wrote:And if you still want "the protection of NAT," any stateful firewall will do it.That seems a common viewpoint. I believe the very existence of the Ping Of Death rebuts it. A machine behind a NAT box simply is not visible to the outside world, except for the protocols you tunnel to it, if any. This *has* to vastly reduce it's attack exposure.Not really. Consider the logic in a NAT box:[ ... ]and the logic in a stateful firewall:Sorry. Given my other-end-of-the-telescope perspective, I was envisioning an *on-machine* firewall, rather than a box. Clearly *any* sort of box in the middle helps in the fashion I alluded to, whether it NATs or not.
Now I'm confused. Who runs *on-machine* NAT? I guess that's another nice option for firewalls. It doesn't matter whether your firewall runs locally or on a remote gateway. Also, when people here are talking about NAT, note that we are only talking about many-to-one, overloading, PAT, or whatever you want to call it. If you are using NAT pools or one-to-one NAT, it buys you no protection at all unless you add firewalling to the mix. -- Crist J. Clark crist.clark () globalstar com Globalstar Communications (408) 933-4387
Current thread:
- RE: mh (RE: OMB: IPv6 by June 2008), (continued)
- RE: mh (RE: OMB: IPv6 by June 2008) Tony Hain (Jul 07)
- RE: mh (RE: OMB: IPv6 by June 2008) Kuhtz, Christian (Jul 07)
- Re: mh (RE: OMB: IPv6 by June 2008) Fergie (Paul Ferguson) (Jul 07)
- Re: mh (RE: OMB: IPv6 by June 2008) Andre Oppermann (Jul 07)
- Re: mh (RE: OMB: IPv6 by June 2008) Crist Clark (Jul 07)
- Re: mh (RE: OMB: IPv6 by June 2008) Petri Helenius (Jul 07)
- Re: mh (RE: OMB: IPv6 by June 2008) Crist Clark (Jul 07)
- Message not available
- Re: mh (RE: OMB: IPv6 by June 2008) Jay R. Ashworth (Jul 08)
- Re: mh (RE: OMB: IPv6 by June 2008) David Andersen (Jul 08)
- Message not available
- Re: mh (RE: OMB: IPv6 by June 2008) Jay R. Ashworth (Jul 08)
- Re: mh (RE: OMB: IPv6 by June 2008) Crist Clark (Jul 08)
- Re: mh (RE: OMB: IPv6 by June 2008) Andre Oppermann (Jul 07)
- Re: mh (RE: OMB: IPv6 by June 2008) Fred Baker (Jul 08)
- Re: mh (RE: OMB: IPv6 by June 2008) Iljitsch van Beijnum (Jul 08)
- Re: mh (RE: OMB: IPv6 by June 2008) Crist Clark (Jul 08)
- Re: mh (RE: OMB: IPv6 by June 2008) Sean Doran (Jul 08)
- Re: mh (RE: OMB: IPv6 by June 2008) Sean Doran (Jul 08)
- Re: mh (RE: OMB: IPv6 by June 2008) David Andersen (Jul 07)
- Re: mh (RE: OMB: IPv6 by June 2008) Daniel Senie (Jul 09)
- RE: mh (RE: OMB: IPv6 by June 2008) Tony Hain (Jul 07)
- Re: mh (RE: OMB: IPv6 by June 2008) Steven M. Bellovin (Jul 07)
- Re: mh (RE: OMB: IPv6 by June 2008) Sean Doran (Jul 08)