nanog mailing list archives
Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)
From: Colm MacCarthaigh <colm () stdlib net>
Date: Mon, 4 Jun 2007 20:12:45 +0100
On Mon, Jun 04, 2007 at 11:47:15AM -0700, Owen DeLong wrote:
*No* security gain? No protection against port scans from Bucharest? No protection for a machine that is used in practice only on the local, office LAN? Or to access a single, corporate Web site?Correct. There's nothing you get from NAT in that respect that you do not get from good stateful inspection firewalls. NONE whatsoever.
Argueably the instant hit of IP source anononymity you get with NAT is a security benefit (from the point of view of the user). Of course these days there all sorts of fragment and timing analyses that will allow you to determine origin commonality behind NAT, but it's nowhere near as convenient as a public IP address. A non-NAT stateful firewall can't simulate that, you need high-rotation dhcp or similar to get close. Although IPv6 privacy addresses rock :-) The argument can go either way, you can spin it as a benefit for the network operator ("wow, user activity and problems are now more readily identifiable and trackable") or you can see it as an organisational privacy issue ("crap, now macrumors can tell that the CEO follows them obsessively"). NAT is still evil though, the problems it causes operationally are just plain not worth it. -- Colm MacCárthaigh Public Key: colm+pgp () stdlib net
Current thread:
- Re: Cool IPv6 Stuff, (continued)
- Re: Cool IPv6 Stuff Donald Stahl (Jun 04)
- Re: Cool IPv6 Stuff Adrian Chadd (Jun 04)
- Re: Cool IPv6 Stuff Iljitsch van Beijnum (Jun 06)
- Re: Cool IPv6 Stuff Joel Jaeggli (Jun 04)
- Re: Cool IPv6 Stuff Owen DeLong (Jun 04)
- Security gain from NAT (was: Re: Cool IPv6 Stuff) Jim Shankland (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Joe Abley (Jun 04)
- Re: Security gain from NAT Sam Stickland (Jun 04)
- RE: Security gain from NAT Howard C. Berkowitz (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Owen DeLong (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Colm MacCarthaigh (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Matthew Palmer (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Donald Stahl (Jun 04)
- Re: Security gain from NAT Jason Lewis (Jun 04)
- Re: Security gain from NAT Daniel Senie (Jun 04)
- Re: Security gain from NAT Steven M. Bellovin (Jun 05)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) David Schwartz (Jun 04)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) Donald Stahl (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Owen DeLong (Jun 04)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) David Schwartz (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Matthew Palmer (Jun 04)