North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Security gain from NAT
On Jun 4, 2007, at 12:22 PM, Dave Israel wrote:
Valdis.Kletnieks@xxxxxx wrote:On Mon, 04 Jun 2007 11:32:39 PDT, Jim Shankland said:*No* security gain? No protection against port scans from Bucharest?Nope. Zip. Zero. Ziltch. Nothing over and above what a good properly
Actually, I would disagree.
A large percentage of attacks, 80% by some estimates, are from behind the firewall. I will argue that the end system needs its own defenses anyway for that reason if none other.
That said, the end system is not the only thing one defends. One has an investment in bandwidth and in various other services that one provides for one's-self; the firewall primarily defends those assets, and incidentally gives a first line of defense for your end systems.
Defense in depth is also a very commonly used strategy; by limiting the attacks that can happen, in defended places one can focus more heavily on attacks that remain possible.
I compare it to the human body's defenses. We have all sorts of things that we use to defend against disease etc; cells that attack specific things, cells that attack things that differ from what is expected, sentinels, and all sorts of other things. We also have at least two firewalls. The skin keeps an awful lot of crud out, meaning we don't have to bring in the big guns, and between the brain and the rest of the body we have a second firewall.
NATs are overrated as firewalls. As defenses, they are breached with some regularity. Stateful firewalls are better, if only because they are more intelligent. And firewalls as a class are over-rated as a defense mechanism. There is a long list of attacks that cross them with ease. But as one weapon in the arsenal, they are a simple prophylactic that helps in a material way.