nanog mailing list archives
RE: Security gain from NAT (was: Re: Cool IPv6 Stuff)
From: "Tony Hain" <alh-ietf () tndh net>
Date: Mon, 4 Jun 2007 12:12:18 -0700
Jim Shankland wrote:
Owen DeLong <owen () delong com> writes:There's no security gain from not having real IPs on machines. Any belief that there is results from a lack of understanding.This is one of those assertions that gets repeated so often people are liable to start believing it's true :-). *No* security gain? No protection against port scans from Bucharest? No protection for a machine that is used in practice only on the local, office LAN? Or to access a single, corporate Web site? Shall I do the experiment again where I set up a Linux box at an RFC1918 address, behind a NAT device, publish the root password of the Linux box and its RFC1918 address, and invite all comers to prove me wrong by showing evidence that they've successfully logged into the Linux box? When I last did this, I got a handful of emails, some quite snide, suggesting I was some combination of ignorant, stupid, and reckless; the Linux box for some reason remained unmolested. Jim Shankland
Mangling the header did nothing for 'security'. The lack of state at the network edge is the security tool here. A firewall provides that state function without the side effect of header mangling. If you really believe in your 1918/nat providing security, do the experiment you propose above, but put in a state mapping for the public address of the nat to the 1918 address of your Linux box. Tony
Current thread:
- Re: Security gain from NAT, (continued)
- Re: Security gain from NAT Leigh Porter (Jun 04)
- Re: Security gain from NAT Donald Stahl (Jun 04)
- Re: Security gain from NAT Dorn Hetzel (Jun 04)
- Re: Security gain from NAT Mattias Ahnberg (Jun 05)
- Re: Security gain from NAT Adrian Chadd (Jun 05)
- Re: Security gain from NAT James R. Cutler (Jun 05)
- Re: Security gain from NAT Matthew Palmer (Jun 04)
- Re: Security gain from NAT Sam Stickland (Jun 04)
- Re: Security gain from NAT Matthew Palmer (Jun 04)
- Re: Security gain from NAT Matthew Kaufman (Jun 04)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) Tony Hain (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Valdis . Kletnieks (Jun 04)
- Security gain from NAT (was: Re: Cool IPv6 Stuff) Jim Shankland (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Valdis . Kletnieks (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Dorn Hetzel (Jun 04)
- Security gain from NAT (was: Re: Cool IPv6 Stuff) Jim Shankland (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Daniel Senie (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Matthew Palmer (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Edward B. DREGER (Jun 04)
- Re: Security gain from NAT Richard P. Welty (Jun 04)
- Re: Security gain from NAT Donald Stahl (Jun 04)