North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)

  • From: Larry Smith
  • Date: Mon Jun 04 17:29:45 2007

On Monday 04 June 2007 13:54, Valdis.Kletnieks@xxxxxx wrote:
> On Mon, 04 Jun 2007 11:32:39 PDT, Jim Shankland said:
> > *No* security gain?  No protection against port scans from Bucharest?
> > No protection for a machine that is used in practice only on the
> > local, office LAN?  Or to access a single, corporate Web site?
>
> Nope. Zip. Zero. Ziltch.  Nothing over and above what a good properly
> configured stateful *non*-NAT firewall should be doing for you already.

Cool, then I need four of these firewalls, and two Class-C (512) worth of IP 
space that works behind my current ISP at no more than $39.95 each (my basic 
price for a Dlink, Netgear, etc cable/dsl router with NAT) with no additional 
cost to my monthly internet - and I will start switching over networks...

Yes, I am joking, but the point being that _currently_ NAT serves a purpose; 
is supported by lots and lots of little "boxes" that customers can plugin, 
configure, and be on the "net" quickly and easily without having to know 
about all the "firewall" related stuff; and _does_ do all those neat stateful 
things for people that have absolutely no interest in knowing about much less 
learning how to make work.

While I agree with the principle being discussed, would that many, many, many 
more cable in particular and dsl customers of <Insert-Name-of-Large-ISP> had 
such NAT boxes installed and maybe the rest of us would not be getting quite 
so much spam from hacked cable/dsl/whatever machines...

-- 
Larry Smith
SysAd ECSIS.NET
sysad@xxxxxxxxx