Home page logo

nanog logo nanog mailing list archives

Re: Where NAT disenfranchises the end-user ...
From: Scott Gifford <sgifford () tir com>
Date: 10 Sep 2001 13:29:58 -0400

Roeland Meyer <rmeyer () mhsc com> writes:

|> From: Jared Mauch [mailto:jared () puck Nether net]
|> Sent: Sunday, September 09, 2001 2:49 PM

|>    Let me reprhase my inital statement, "In most cases i've seen
|> where someone is using NAT it's part of a security policy and not due
|> to lack of available address space".

Jared, those whom depend on an accident, for security, deserve what happens
when the accident undoes itself. I was just over on www.netcraft.com,
checking out their stats for the CodeRed worm. I was amazed at how fast IIS
admins responded by applying the patches. If NAT were suddenly "fixed", any
incidental security is toast. NAT was never designed for, and was never
intended as, a security method. Any current protection is strictly the
result of a side-effect. The side-effect that breaks the internet
connection. It's a result of the connection being broken. A properly built
firewall is much more effective and definitely more deterministic. Neither
is it vulnerable to a "fix patch".

I don't understand what kind of "fix patch" you're talking about
here...NAT uses the same techniques that a stateful firewall uses; if
you can find some kind of "fix patch" to bypass NAT, chances are
excellent it will work on a stateful firewally, too.

I've actually seen the question of how NAT breaks the Internet more
than a good stateful firewall come up more than once, and haven't
really seen a satisfactory answer.  Where does a stateful firewall
configured to only allow outgoing connections work that NAT doesn't?

I ask not to drag this discussion on, but because I use NAT for
address conservation and security on a couple networks that I operate,
and am curious if I'd be much better off with something different...


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]