On Monday 04 June 2007 18:06, Owen DeLong wrote:
On Jun 4, 2007, at 1:41 PM, David Schwartz wrote:
On Jun 4, 2007, at 11:32 AM, Jim Shankland wrote:
Owen DeLong <owen@delong.com> writes:
There's no security gain from not having real IPs on machines. Any belief that there is results from a lack of understanding.
This is one of those assertions that gets repeated so often people are liable to start believing it's true :-).
Maybe because it _IS_ true.
*No* security gain? No protection against port scans from Bucharest? No protection for a machine that is used in practice only on the local, office LAN? Or to access a single, corporate Web site?
Correct. There's nothing you get from NAT in that respect that you do not get from good stateful inspection firewalls. NONE whatsoever.
Sorry, Owen, but your argument is ridiculous. The original statement was "[t]here's no security gain from not having real IPs on machines". If someone said, "there's no security gain from locking your doors", would you refute it by arguing that there's no security gain from locking your doors that you don't get from posting armed guards round the clock?
Except that's not the argument. The argument would map better to:
There's no security gain from having a screen door in front of your door with a lock and dead-bolt on it that you don't get from a door with a lock and dead-bolt on it.
I posit that a screen door does not provide any security. A lock and deadbolt provide some security. NAT/PAT is a screen door. Not having public addresses is a screen door. A stateful inspection firewall is a lock and deadbolt.
Owen
To add to that: Need I remind those of us who see NAT as some sort of firewall?: NAT is Network Address Translation, and is designed to be for only providing a source of private IP addressing.. it wasn't designed to be a "protection" - it's just a side effect that it does offers any protection at all. People may get lucky because their NAT may check from which interface traffic comes in on (which is a form of inspection, thus indicates a presense of a firewall). But without any sort of packet inspection, someone could trick your NAT into thinking a connection was open when it was not, thus opening a connection to a system on your NAT (that is probably unfirewalled in itself). Or another example: a third party finds out a system on your NAT has a connection open to a host on the internet, so the third party wedges their own foriged packets into the connection, and a NAT without inspection will just foreward it to the internal host without batting an eye.