nanog mailing list archives
RE: Security gain from NAT
From: "Howard C. Berkowitz" <hcb () netcases net>
Date: Mon, 4 Jun 2007 15:28:17 -0400
I'm sure everyone understands the underlying principle, but I'm constantly making the point that even the best firewall is not a total security solution. Forget antivirus, IDS, host authentication, etc., and just look on the perimeter. At least four device types lead inside from the DMZ: NAT Firewalls of various flavors VPN concentrators/security gateways Rate-limiting anti-DOS devices to protect host-to-host encryption For small and medium enterprises, these functions might, as an implementation choice, reside in the same box; NAT is most likely to coexist with firewalling or VPN concentration. The latter gets a little Zen-ish if the VPN concentrator acts as a separately addressed proxy anyway. -----Original Message----- From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of Sam Stickland Sent: Monday, June 04, 2007 3:04 PM To: Joe Abley Cc: Jim Shankland; Owen DeLong; NANOG list Subject: Re: Security gain from NAT Joe Abley wrote:
On 4-Jun-2007, at 14:32, Jim Shankland wrote:Shall I do the experiment again where I set up a Linux box at an RFC1918 address, behind a NAT device, publish the root password of the Linux box and its RFC1918 address, and invite all comers to prove me wrong by showing evidence that they've successfully logged into the Linux box?Perhaps you should run a corresponding experiment whereby you set up a linux box with a globally-unique address, put it behind a firewall which blocks all incoming traffic to that box, and issue a similar invitation. Do you think the results will be different?
I fear a somewhat more cynical person could interpret the results of such an experiment to mean that NAT is as good as a firewall ;) S
Current thread:
- Re: Cool IPv6 Stuff, (continued)
- Re: Cool IPv6 Stuff Iljitsch van Beijnum (Jun 04)
- Re: Cool IPv6 Stuff Adrian Chadd (Jun 04)
- Re: Cool IPv6 Stuff Donald Stahl (Jun 04)
- Re: Cool IPv6 Stuff Adrian Chadd (Jun 04)
- Re: Cool IPv6 Stuff Iljitsch van Beijnum (Jun 06)
- Re: Cool IPv6 Stuff Joel Jaeggli (Jun 04)
- Re: Cool IPv6 Stuff Owen DeLong (Jun 04)
- Security gain from NAT (was: Re: Cool IPv6 Stuff) Jim Shankland (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Joe Abley (Jun 04)
- Re: Security gain from NAT Sam Stickland (Jun 04)
- RE: Security gain from NAT Howard C. Berkowitz (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Owen DeLong (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Colm MacCarthaigh (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Matthew Palmer (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Donald Stahl (Jun 04)
- Re: Security gain from NAT Jason Lewis (Jun 04)
- Re: Security gain from NAT Daniel Senie (Jun 04)
- Re: Security gain from NAT Steven M. Bellovin (Jun 05)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) David Schwartz (Jun 04)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) Donald Stahl (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Owen DeLong (Jun 04)