On 7/06/2007, at 3:59 AM, Stephen Sprunk wrote:
Thus spake "Roger Marquis" <[EMAIL PROTECTED]>
I, for one, give up. No matter what you say I will never
implement NAT, and you may or may not implement it if people
make boxes that support it.
Most of the rest of us will continue to listen to b
Nathan Ward wrote:
On 5/06/2007, at 9:29 PM, <[EMAIL PROTECTED]>
<[EMAIL PROTECTED]> wrote:
I posit that a screen door does not provide any security.
"Any" is too strong a word. For people living in an area with
malaria-carrying mosquitoes, that screen door may be more important for
s
On Monday 04 June 2007 18:06, Owen DeLong wrote:
> On Jun 4, 2007, at 1:41 PM, David Schwartz wrote:
> >> On Jun 4, 2007, at 11:32 AM, Jim Shankland wrote:
> >>> Owen DeLong <[EMAIL PROTECTED]> writes:
> There's no security gain from not having real IPs on machines.
> Any belief that the
On 6/5/07, David Schwartz <[EMAIL PROTECTED]> wrote:
Combined responses to save bandwidth and hassle (and number of times you
have to press 'd'):
--
> Just because it's behind NAT, does not mean it's unreahcable from the
internet:
Okay, so exactly how many times do you think we have to say
On 6/4/07, David Schwartz <[EMAIL PROTECTED]> wrote:
> I posit that a screen door does not provide any security. A lock and
> deadbolt provide some security. NAT/PAT is a screen door.
This is a fine piece of rhetoric, but it's manifestly false and seriously
misleading.
Hi, David
I think the
David Schwartz wrote:
>> Just because it's behind NAT, does not mean it's unreahcable from the
> internet:
> Okay, so exactly how many times do you think we have to say in this thread
> that by "NAT/PAT", we mean NAT/PAT as typically implemented in the very
> cheapest routers in their default conf
On 5/06/2007, at 9:29 PM, <[EMAIL PROTECTED]>
<[EMAIL PROTECTED]> wrote:
I posit that a screen door does not provide any security.
"Any" is too strong a word. For people living in an area with
malaria-carrying mosquitoes, that screen door may be more important
for
security than a sol
Combined responses to save bandwidth and hassle (and number of times you
have to press 'd'):
--
> Just because it's behind NAT, does not mean it's unreahcable from the
internet:
Okay, so exactly how many times do you think we have to say in this thread
that by "NAT/PAT", we mean NAT/PAT as typ
On Jun 4, 2007, at 12:22 PM, Dave Israel wrote:
[EMAIL PROTECTED] wrote:
On Mon, 04 Jun 2007 11:32:39 PDT, Jim Shankland said:
*No* security gain? No protection against port scans from
Bucharest?
No protection for a machine that is used in practice only on the
local, office LAN? Or to acc
On 4/06/2007, at 9:52 PM, Sam Stickland wrote:
Jared Mauch wrote:
http://www.icann.org/meetings/lisbon/presentation-doering-
ipv6-25mar07.pdf
In answer to two questions at the end of this document:
• what are enterprises waiting for?
• should we ditch IPv6, and live with IPv4 + N
At 09:07 PM 6/4/2007, Jason Lewis wrote:
I figured SMB would chime in...but his research says it's not so anonymous.
http://illuminati.coralcdn.org/docs/bellovin.fnat.pdf
Give or take NAT boxes / firewalls that specifically have features to
mess with the IP ID. The SonicWALL products have,
I figured SMB would chime in...but his research says it's not so anonymous.
http://illuminati.coralcdn.org/docs/bellovin.fnat.pdf
jas
Colm MacCarthaigh wrote:
On Mon, Jun 04, 2007 at 11:47:15AM -0700, Owen DeLong wrote:
*No* security gain? No protection against port scans from Bucharest?
Surely that second quote should be "crap, now macrumors can tell that one
person in our office follows them obsessively"? Unless there's
publically-available information that indicates that IP address is your
CEO's (which is a whole other topic -- publically available rDNS for
company-internal
DS> Date: Mon, 4 Jun 2007 16:27:14 -0700
DS> From: David Schwartz
[ snipped throughout ]
DS> I can give you the root password to a Linux machine running telnetd
DS> and sshd. If it's behind NAT/PAT, you will not get into it. Period.
DS>
DS> I can give you the administrator password to a Window
I can give you the root password to a Linux machine running telnetd and
sshd. If it's behind NAT/PAT, you will not get into it. Period.
I'll give you root password to a half a dozen directly connected Linux
boxes and you still won't be able to get in.
I can give you the administrator passwor
On 6/4/07, David Schwartz <[EMAIL PROTECTED]> wrote:
I can give you the root password to a Linux machine running telnetd and
sshd. If it's behind NAT/PAT, you will not get into it. Period.
Just because it's behind NAT, does not mean it's unreahcable from the internet:
Fenrir:~% telnet ipv4.
On Mon, Jun 04, 2007 at 04:27:14PM -0700, David Schwartz wrote:
> > I posit that a screen door does not provide any security. A lock and
> > deadbolt provide some security. NAT/PAT is a screen door.
> > Not having public addresses is a screen door. A stateful inspection
> > firewall is a lock an
On Mon, Jun 04, 2007 at 08:12:45PM +0100, Colm MacCarthaigh wrote:
> The argument can go either way, you can spin it as a benefit for the
> network operator ("wow, user activity and problems are now more readily
> identifiable and trackable") or you can see it as an organisational
> privacy issue
On Mon, Jun 04, 2007 at 03:31:00PM -0500, Larry Smith wrote:
>
> On Monday 04 June 2007 13:54, [EMAIL PROTECTED] wrote:
> > On Mon, 04 Jun 2007 11:32:39 PDT, Jim Shankland said:
> > > *No* security gain? No protection against port scans from Bucharest?
> > > No protection for a machine that is u
On Mon, Jun 04, 2007 at 11:34:30PM +0100, Sam Stickland wrote:
>
> Matthew Palmer wrote:
> >I can think of one counter-example to this argument, and that's
> >SSL-protected services, where having a proxy, transparent or otherwise, in
> >your data stream just isn't going to work.
>
> Not so. Loo
Leigh Porter wrote:
Additionally, NATing services on separate machines behind a single NATed
address anonymises the services behind a single address.
Agreed. It can be very useful to not expose the internal topology
through address assignment so as to not expose which
subnets/desktops/users
But NAT *requires* stateful inspection;
No, NAT does not require this.
In the context of this discussion it does.
Port NAT mapping one IP to many does, but there are other
kinds of NAT.
This is exactly the NAT that is being spoken of though.
this lack of precision can lead to nasty result
> I posit that a screen door does not provide any security. A lock and
> deadbolt provide some security. NAT/PAT is a screen door.
> Not having public addresses is a screen door. A stateful inspection
> firewall is a lock and deadbolt.
This is a fine piece of rhetoric, but it's manifestly fals
> I posit that a screen door does not provide any security. A lock and
> deadbolt provide some security. NAT/PAT is a screen door.
> Not having public addresses is a screen door. A stateful inspection
> firewall is a lock and deadbolt.
It's tedious getting in and out with a lock and a deadbolt
Jim Shankland wrote:
But NAT *requires* stateful inspection;
No, NAT does not require this.
Port NAT mapping one IP to many does, but there are other
kinds of NAT.
this lack of precision can lead to nasty results when
clueless middle managers demand things they don't understand
(which is, aft
Sorry, Owen, but your argument is ridiculous. The original statement was
"[t]here's no security gain from not having real IPs on machines". If
someone said, "there's no security gain from locking your doors", would you
refute it by arguing that there's no security gain from locking your doors
th
Sure, NAT can't prevent users from running with scissors, but sometimes it
does block the scissors thrown at the back of their neck whilst they are
sleeping :)
On 6/4/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
On Mon, 04 Jun 2007 12:20:38 PDT, Jim Shankland said:
> I can't pass over Vald
On Monday 04 June 2007, [EMAIL PROTECTED] wrote:
> Nope. Zip. Zero. Ziltch. Nothing over and above what a good properly
> configured stateful *non*-NAT firewall should be doing for you already.
Since when are CPE devices 'properly' configured?
--
Lamar Owen
Chief Information Officer
Pisgah Astr
On Mon, Jun 04, 2007 at 12:20:38PM -0700, Jim Shankland wrote:
> But NAT *requires* stateful inspection; and the many-to-one, port
> translating NAT in common use all but requires affirmative steps
> to be taken to relay inbound connections to a designated, internal
> host -- the default ends up b
At 03:20 PM 6/4/2007, Jim Shankland wrote:
[EMAIL PROTECTED] writes:
> On Mon, 04 Jun 2007 11:32:39 PDT, Jim Shankland said:
> > *No* security gain? No protection against port scans from Bucharest?
> > No protection for a machine that is used in practice only on the
> > local, office LAN? O
On Mon, Jun 04, 2007 at 08:04:23PM +0100, Leigh Porter wrote:
> Jim Shankland wrote:
> >Owen DeLong <[EMAIL PROTECTED]> writes:
> >
> >>There's no security gain from not having real IPs on machines.
> >>Any belief that there is results from a lack of understanding.
> >>
> >
> >This is one of
Well, give the junky little NAT boxes their due. Grubby little home
networks running windoze on one or a few computers cause a lot less trouble
in the world when there is a junky little NAT box between the house LAN and
the big world outside. Better ways to do it? Absolutely! Easier,
cheaper a
land; Owen DeLong; NANOG list
Subject: Re: Security gain from NAT
Joe Abley wrote:
>
>
> On 4-Jun-2007, at 14:32, Jim Shankland wrote:
>
>> Shall I do the experiment again where I set up a Linux box
>> at an RFC1918 address, behind a NAT device, publish the root
>> p
Also, it is good to control the Internet addressable devices on your network
by putting them behind a NAT device. That way you have less devices to
concern yourself about that are directly addressable when they most likely
need not be. You can argue that you can do the same with a firewall and
[EMAIL PROTECTED] writes:
> On Mon, 04 Jun 2007 11:32:39 PDT, Jim Shankland said:
> > *No* security gain? No protection against port scans from Bucharest?
> > No protection for a machine that is used in practice only on the
> > local, office LAN? Or to access a single, corporate Web site?
>
>
On Mon, 04 Jun 2007 11:32:39 PDT, Jim Shankland said:
> *No* security gain? No protection against port scans from Bucharest?
> No protection for a machine that is used in practice only on the
> local, office LAN? Or to access a single, corporate Web site?
Nope. Zip. Zero. Ziltch. Nothing over a
Jim Shankland wrote:
> Owen DeLong <[EMAIL PROTECTED]> writes:
> > There's no security gain from not having real IPs on machines.
> > Any belief that there is results from a lack of understanding.
>
> This is one of those assertions that gets repeated so often people
> are liable to start believi
Jim Shankland wrote:
Owen DeLong <[EMAIL PROTECTED]> writes:
There's no security gain from not having real IPs on machines.
Any belief that there is results from a lack of understanding.
This is one of those assertions that gets repeated so often people
are liable to start believin
Joe Abley wrote:
On 4-Jun-2007, at 14:32, Jim Shankland wrote:
Shall I do the experiment again where I set up a Linux box
at an RFC1918 address, behind a NAT device, publish the root
password of the Linux box and its RFC1918 address, and invite
all comers to prove me wrong by showing evidenc
On Jun 4, 2007, at 11:32 AM, Jim Shankland wrote:
Owen DeLong <[EMAIL PROTECTED]> writes:
There's no security gain from not having real IPs on machines.
Any belief that there is results from a lack of understanding.
This is one of those assertions that gets repeated so often people
are liabl
On 4-Jun-2007, at 14:32, Jim Shankland wrote:
Shall I do the experiment again where I set up a Linux box
at an RFC1918 address, behind a NAT device, publish the root
password of the Linux box and its RFC1918 address, and invite
all comers to prove me wrong by showing evidence that they've
succ
Owen DeLong <[EMAIL PROTECTED]> writes:
> There's no security gain from not having real IPs on machines.
> Any belief that there is results from a lack of understanding.
This is one of those assertions that gets repeated so often people
are liable to start believing it's true :-).
*No* security
42 matches
Mail list logo