On 3/24/14 1:37 PM, "William Herrin" <b...@herrin.us> wrote:
>On Mon, Mar 24, 2014 at 9:25 AM, Joe Greco <jgr...@ns.sol.net> wrote: >>> I say this with the utmost respect, but you must understand the >>> principle of defense in depth in order to make competent security >>> decisions for your organization. Smart people disagree on the details >>> but the principle is not only iron clad, it applies to all forms of >>> security, not just IP network security. >> >> The problem here is that what's actually going on is that you're now >> enshrining as a "security" device a hacky, ill-conceived workaround >> for a lack of flexibility/space/etc in IPv4. NAT was not designed >> to act as a security feature. > >Hi Joe, > >That would be one of those "details" on which smart people disagree. >In this case, I think you're wrong. Modern NAT superseded the >transparent proxies and bastion hosts of the '90s because it does the >same security job a little more smoothly. And proxies WERE designed to >act as a security feature. What kinds of devices are we talking about here? Are we talking about the default NAT on a home network router, or an enterprise-level NAT operating on a firewall? The NAT on home gateways may be a full-cone NAT. This allows easier setup of online gaming, for instance, or other applications where an inbound SYN is required. This provides no security, since as soon as a connection is established, all traffic is allowed. Even restricted cone NATs provide little protection, just a bit of guessing that even a human could manage. If we're talking about an enterprise firewall, then I don't understand--we're talking about a firewall. If it implements a symmetric NAT in addition to a stateful firewall, then it's implementing the same function twice. But, hey, it's your network, if security-through-obscurity is one of your defense in depth layers, that's fine. You may use NPT66 with ULA; that function is defined. Lee