RE: Security gain from NAT (was: Re: Cool IPv6 Stuff)
Again, whether the lock/deadbolt come as a package deal with the screen door or not, it is the lock/deadbolt that provide the security, not the screen door.
Wow, I don't know what to say. I've never heard of a screen door that came with, and could not work without, a lock and deadbolt. It's totally obvious that you had no intention of implying that typical NAT implementations didn't provide any security. And, by the way, in all of my real examples, it was the actual NAT that provided the security. The Windows machines are behind a device that has but one rule configured in it, and it's a NAT rule. The NAT rule is the only thing that causes the machine to do any stateful inspection at all. That is, one single element provides the NAT and the SI, SI is the means by which the NAT is implemented, and SI is the only way to provide NAT. The device is *NOT* configured to reject inbound by default. Other machines on other parts of my private network *can* reach it through its NAT on its private addresses. Our wireless network, for example, has its own NAT to reach the Internet and its own block of private addresses, but can reach the wired Windows boxes on their private addresses. Yet you *STILL* can't log into my Linux box even with the root password. You still can't access my Windows network shares even with the administrator password. If it was on a public IP address, all other things being the same, it would take you ten seconds to get into it. These machines have never been compromised. All other things being precisely the same, without the private addresses, they would never have lasted. It is simply a fact that private addresses and NAT itself do provide some security. You can get this same security without the private addresses and without the NAT, but that changes nothing. This is the claim you are defending: "There's no security gain from not having real IPs on machines. Any belief that there is results from a lack of understanding." So why can't you break into these machines when the only thing stopping you is that they don't have real IPs. There is no other security of any kind in place. There is no "reject inbound by default", no firewall rules (except NAT itself). The only stateful inspection is used to make NAT work and is the *implementation* of NAT itself. All I have is the very thing you claim provides "no security gain". And it's what's stopping you. DS
participants (1)
-
David Schwartz