nanog mailing list archives
Re: We hit half-million: The Cidr Report
From: Jean-Francois Mezei <jfmezei_nanog () vaxination ca>
Date: Thu, 01 May 2014 19:10:08 -0400
On 14-05-01 14:34, Owen DeLong wrote:
Believe me, I cringe every time I hear “our auditors require NAT as a security mechanism”
Pardon my ignorance here. But in a carrier-grade NAT implementation that serves say 5000 users, when happens when someone from the outside tries to connect to port 80 of the shared routable IP ? you still need to have explicit port forwarding to specific LAN side hosts (like the web server) right ? Trying to be devil's advocate here: (and discussing only incoming calls) In a NAT setup for a company, wouldn't the concept be that you explicitely have to open a few ports to specific hosts ? (for instance 80 points to the web server LAN IP address) All the rest of the gazillion ports are blocked by default since the router doesn't know to which LAN host they should go. On the other hand, for a LAN with routable IPs, by default, all ports are routed to all computers, and security then depends on ACLs or other mechanisms to implement a firewall. Auditors probably prefer architecture where everything is blocked by default and you open specific ports compared to one where everything is open by default and you then add ACLs to implement security. (Not judging whether one is better, just trying to figure out why auditors might prefer NAT). Also, home routers have "NAT" which is really a combo of NAT with basic firewall, so if you don't have "NAT", they may equate this to not having a firewall.
Current thread:
- Re: We hit half-million: The Cidr Report John Souter (May 01)
- Re: We hit half-million: The Cidr Report Owen DeLong (May 01)
- Re: We hit half-million: The Cidr Report John Souter (May 01)
- Re: We hit half-million: The Cidr Report Owen DeLong (May 01)
- Re: We hit half-million: The Cidr Report Jean-Francois Mezei (May 01)
- Re: We hit half-million: The Cidr Report Robert Drake (May 01)
- Re: We hit half-million: The Cidr Report Fred Baker (fred) (May 01)
- Re: We hit half-million: The Cidr Report Mark Foster (May 01)
- Re: We hit half-million: The Cidr Report Owen DeLong (May 01)
- Re: We hit half-million: The Cidr Report John Souter (May 01)
- Re: We hit half-million: The Cidr Report Owen DeLong (May 01)
- Re: We hit half-million: The Cidr Report Alain Hebert (May 01)
- Re: We hit half-million: The Cidr Report Owen DeLong (May 01)
- Re: We hit half-million: The Cidr Report Alain Hebert (May 02)
- <Possible follow-ups>
- Re: We hit half-million: The Cidr Report Robert Drake (May 01)