On Wed, 29 Oct 2003, Scott McGrath wrote:
Life would be much simpler without NAT howver there are non-computer devices which use the internet to get updates for their firmware that most of us would prefer not to be globally reachable due to the human error factor i.e. "Oops forgot a rule to protect X". <snip> A good example of this is building control systems which get firmware updates via FTP!!!! from their maker. Usually there is no manual system for updating them offline and allowing them to be disconnected from the internet as in my opinion they _should_ be.
NAT is certianly not the only way to restrict this sort of access. For your ship example (snipped) an isolated network is best.
For your building control systems a firewall preventing inbound access, instead of a NAT device, should be your control of choice.
You are missing the point. Building control gear, instrument controllers power controllers their builders see a _cheap_ distribution method for updates so they buy a TCP stack and cobble together a embedded application to update their software. Vendors are not thinking about acceptable levels of network security when they design this gear they are thinking hmm no floppy or cdrom for $20 I can just put in a $4 ethernet controller and I can also save the salaries of the people needed to distribute the physical media.
This class of devices should not have a globally routable address because in many cases security on them is less than an afterthought (short fixed passwords no support for secure protocols, etc)
routable =! reachable. Restrict inbound access to your networks as needed, with or without NAT, IPv4 or IPv6. For legacy IPv4 networks that haven't been renumbered to IPv6, use a 4to6 gateway.
routable _is_ reachable a firewall is merely a filtering device it cannot determine the intent of the packet. If a packet complies with your defined ruleset and the protocol rules for that type of packet the firewall passes it. NAT also has the advantage that if packets do leak bogon filters at the border will drop them. Firewalls cannot compensate for broken protocols or worse yet proprietary protocols which the firewall device has no knowledge of and therefore is limited to L3/4 filtering only. I have been playing with firewall and other internetwork security devices for longer than I care to remember
You seem to be arguing that NAT is the only way to prevent inbound access. While it's true that most commercial IPv4 firewalls bundle NAT with packet filtering, the NAT is not required..and less-so with IPv6.
Actually no, I tend to avoid NAT whenever possible as other posters have pointed out NAT tends to break things which are not ordinarily broken and I do not need the additional headaches. I simply see NAT as a tool in the toolbox to be used to fix networking problems..
...david
--- david raistrick drais@atlasta.net http://www.expita.com/nomime.html