Simon Hobson wrote:
> <soapbox mode>
> NAT is also fundamentally broken in ANY implementation, it is BAD, to
> be avoided whenever you have enough public IPs to avoid it. It's an
> evil cludge invented to avoid having to fix the real problem (lack of
> addresses), and a second effect of it's invention has been to delay
> implementation of the proper fix because too many people think it IS
> the fix. Along with NAT you need Application Level Gateways (ALGs)
> for the many protocols it breaks (including FTP and SIP), and for SIP
> it's far from trivial to build an ALG - in fact it's impractical to
> build a universal ALG that will work in all possible situations
> because it requires an intimate knowledge of how the network appears
> to the client which may not be the same as how it appears to the
> gateway.
>
> The security is useful, but no more than you can get with any half
> decent firewall.
>
<snipped for Brevity>
Forgive me for posting on this topic, I want to clarify a few things
in the hopes that novices will take notice.
For all the arguing you kids are doing regarding NAT, the following
remains true and "less than expert" admins should know about it.
NAT, for all it's faults, does a decent job of keeping outsiders
from connecting to an internal network. Having access to a true class c
that you can use for lan/wan purposes on face value seems nice. But when
security mistakes are made in that context it can lead to unfettered
access to to the internal infrastructure. Not only that, but you also
multiply the number of security breach possibilities because now your
internal network electronics, printers, fax machines, IP cameras, <name
your esoteric device here> have to be hardened to the same level of a
server (which would be behind a firewall anyhow).
I don't know about anyone else, but I certainly don't relish the
idea of having to add IP cameras, printers, and Windows machines to the
weekly security audit .... I've got 36 servers to watch- that's enough
security worry. I certainly wouldn't want the *majority* of IT people
I've worked with saddled with making sure a firewall was adequately
protecting a UPS. They just don't have the protocol knowledge.
So be careful here, some guy with good intentions is going to take
your "technically correct" opinions, misconfigure a firewall for 240
devices on a class c, and 3 million people will have lost their credit
card info- all because some cracker figured out how to script a
dictionary attack through a Logitech Webcam.
Remember the audience.
--
Michael Cozzi
[EMAIL PROTECTED]
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
