Chris Engel wrote: > Keith, > > Whether NAT is a useful discriminator or NOT is rather irrelevant (though I > happen to find it a useful one).... the point is the Network Administrator > and company security policy IS a useful security discriminator in determining > what applications are valuable or not...and THEY can determine whether the > benefits of NAT outweigh the costs. Actually, I disagree. In my experience (at least for networks that serve a significantly sized population of users) such people are usually quite ignorant of both the diversity of needs of their users, and the true impact of NAT on their networks in terms of the range of the applications that NATs deny to users; and are therefore unable to make a realistic estimate of the costs. Of course, it's not unusual for a network administrator to view applications as thorns in his side, and to try to reduce the number of applications available to users. > NO ONE is arguing that NAT is a useful tool for EVERY network. I'm glad that > there will be more alternatives available under IPv6 for people to use. > However, that does NOT mean that for many of the people who currently use it > that NAT is not currently useful and would not be so in future regardless of > the other options available. Just because person X in thier situation finds a > particular tool more harmful then helpful is NOT a good arguement for denying > the tools use to EVERYONE. The same could be said of applications whose functions are impaired by NAT. e.g. Just because a network administrator thinks that such applications are more harmful than helpful is NOT a good reason for denying the use of those applications to EVERYONE on that network.
Perhaps unfortunately, nobody has figured out a way to prevent NATs from being used in IPv6. But the ONLY significant benefit of NAT in the IPv4 world is associated with their use to conserve precious address space, and even that comes with significant pain. The other benefits are corner cases that apply only to very specific situations. > Let the people who find the tool useful CHOOSE to use it (and live with the > consequences of that choice) and those who don't, don't. The problem is, the people who are choosing to install NATs are not the ones dealing with the consequences of that choice. > Furthermore, it's definitely NOT special-purpose networks that look to > tightly limit the services that traverse the network boundary. That's a > pretty significant goal in pretty much all corporate security. My company > deals with ALOT of Fortune 1000 clients and almost every one which has had a > security review as part of their vendor qualification process MANDATES NAT... > not just in the ASP hosting environment...but even in the corporate networks > of the vendors they deal with. Most of those Fortune 1000 companies use Windows too...which doesn't say much for their sense of security. > On most corporate networks I've seen...the recommended security standard has > become not just DENY ALL IN but DENY ALL OUT and then poke open holes AS > REQUIRED. You certainly don't need NAT to do that. > You're other argument doesn't make much sense to me. Yes, NAT protecting the > private network from exposure may indeed "mask" the fact that the FW rules > have been misconfigured.... in that sense it is doing it's job as a > compensating control. I'm pretty sure that almost any network admin is going > to be happier discovering that flaw in a routine audit of their FW config > rather then discovering it because of an ACTUAL breach....I'm almost certain > the business owners who's assets are being protected would be. That's the > whole point of compensating controls. If you want a layered defense (which I agree is a good thing), it makes far more sense to have multiple layers of firewall (as well as intrusion detection and active probing) than to trust a NAT to "do the right thing" when you have a configuration error. > Note, when I'm speaking here...I'm really addressing the utility of NAT from > the perspective of employing it at the edge of private > networks....particularly corporate enterprise or non-profit organization > networks. You might label these as "special-purpose" networks...but I really > wouldn't. Nor I. > In these instances, the end users do NOT rightfully have the expectation to > run any old application they may choose or want and have it work. They are > specifically utilizing assets (including the computers they happen to be > sitting at) that are NOT owned or controlled by them.... and they are doing > so in the capacity as paid representatives of the organization whose assets > they are utilizing. I'm not talking about the "rights" of end users in such situations, but rather, their ability to use the best applications available in order to get their work done. Yes, a company can, if it wishes, dictate precisely which applications a user may or may not use on the company's network or equipment; and yes, the company can attempt to enforce those restrictions by placing impediments in the network. Of course, they do that at the peril of harming their company's ability to compete in the marketplace. But it's their choice. But given that it chooses to limit the apps that can be used on its network, why in the world should it employ NAT to do that when there are far better tools for the job? Or to put it another way, why should it cripple its networks a priori so that it becomes more difficult to support new applications even when their utility becomes apparent? Keith _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
