From owner-nanog@merit.edu Mon Jun 4 13:54:55 2007 Subject: Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Date: Mon, 4 Jun 2007 14:47:06 -0400
On 4-Jun-2007, at 14:32, Jim Shankland wrote:
Shall I do the experiment again where I set up a Linux box at an RFC1918 address, behind a NAT device, publish the root password of the Linux box and its RFC1918 address, and invite all comers to prove me wrong by showing evidence that they've successfully logged into the Linux box?
Perhaps you should run a corresponding experiment whereby you set up a linux box with a globally-unique address, put it behind a firewall which blocks all incoming traffic to that box, and issue a similar invitation.
Do you think the results will be different?
Consider the possible *FAILURE* modes. e.g. (1) where somebody brings up _another_ path between the LAN that that box is onn, and the public internet, with no translations or other protections whatsoever. (2) where the 'protection box' "fails open" -- e.g. passes all traffic without modification. NAT/PAT is 'belt and suspenders', but it *does* provide an additional layer of protection, _if_the_primary_protection_fails_. That 'additional protection' may or may not be 'significant', depending on one's viewpoint.