On 2/16/24 3:01 PM, William Herrin wrote:
On Fri, Feb 16, 2024 at 2:19 PM Jay R. Ashworth <jra@baylink.com> wrote:
From: "Justin Streiner" <streinerj@gmail.com> 4. Getting people to unlearn the "NAT=Security" mindset that we were forced to accept in the v4 world. NAT doesn't "equal" security.
But it is certainly a *component* of security, placing control of what internal nodes are accessible from the outside in the hands of the people inside. Hi Jay,
Every firewall does that. What NAT does above and beyond is place control of what internal nodes are -addressable- from the outside in the hands of the people inside -- so that most of the common mistakes with firewall configuration don't cause the internal hosts to -become- accessible.
If you know which subnets need to be NAT'd don't you also know which ones shouldn't exposed to incoming connections (or conversely, which should be permitted)? It seems to me that all you're doing is moving around where that knowledge is stored? Ie, DHCP so it can give it private address rather than at the firewall knowing which subnets not to allow access? Yes, DHCP can be easily configured to make everything private, but DHCP for static reachable addresses is pretty handy too. Mike