nanog mailing list archives
Security gain from NAT (was: Re: Cool IPv6 Stuff)
From: Jim Shankland <nanog () shankland org>
Date: Mon, 04 Jun 2007 12:20:38 -0700
Valdis.Kletnieks () vt edu writes:
On Mon, 04 Jun 2007 11:32:39 PDT, Jim Shankland said:*No* security gain? No protection against port scans from Bucharest? No protection for a machine that is used in practice only on the local, office LAN? Or to access a single, corporate Web site?Nope. Zip. Zero. Ziltch. Nothing over and above what a good properly configured stateful *non*-NAT firewall should be doing for you already.
Thanks for the clarification, Owen and Valdis. We are, of course, 100% in agreement that it is stateful inspection that provides (a measure of) security, and that stateful inspection can be had without NAT. But NAT *requires* stateful inspection; and the many-to-one, port translating NAT in common use all but requires affirmative steps to be taken to relay inbound connections to a designated, internal host -- the default ends up being to drop them. All this can be done without NAT, but with NAT you get it "for free". I can't pass over Valdis's statement that a "good properly configured stateful firewall should be doing [this] already" without noting that on today's Internet, the gap between "should" and "is" is often large. If what you meant to say is that NAT provides no security benefits that can't also be provided by other means, then I completely agree. Jim Shankland
Current thread:
- Re: Security gain from NAT, (continued)
- Re: Security gain from NAT Dorn Hetzel (Jun 04)
- Re: Security gain from NAT Mattias Ahnberg (Jun 05)
- Re: Security gain from NAT Adrian Chadd (Jun 05)
- Re: Security gain from NAT James R. Cutler (Jun 05)
- Re: Security gain from NAT Matthew Palmer (Jun 04)
- Re: Security gain from NAT Sam Stickland (Jun 04)
- Re: Security gain from NAT Matthew Palmer (Jun 04)
- Re: Security gain from NAT Matthew Kaufman (Jun 04)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) Tony Hain (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Valdis . Kletnieks (Jun 04)
- Security gain from NAT (was: Re: Cool IPv6 Stuff) Jim Shankland (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Valdis . Kletnieks (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Dorn Hetzel (Jun 04)
- Security gain from NAT (was: Re: Cool IPv6 Stuff) Jim Shankland (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Daniel Senie (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Matthew Palmer (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Edward B. DREGER (Jun 04)
- Re: Security gain from NAT Richard P. Welty (Jun 04)
- Re: Security gain from NAT Donald Stahl (Jun 04)
- Re: Security gain from NAT Dave Israel (Jun 04)
- Re: Security gain from NAT Edward B. DREGER (Jun 04)