North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: [arin-announce] IPv4 Address Space (fwd)

  • From: Crist Clark
  • Date: Wed Oct 29 19:09:55 2003

Jack Bates wrote:
> David Raistrick wrote:
> >
> > You seem to be arguing that NAT is the only way to prevent inbound access.
> > While it's true that most commercial IPv4 firewalls bundle NAT with packet
> > filtering, the NAT is not required..and less-so with IPv6.
> >
> I think the point that was being made was that NAT allows the filtering
> of the box to be more idiot proof. Firewall rules tend to be complex,
> which is why mistakes *do* get made and systems still get compromised.
> NAT interfaces and setups tend to be more simplistic, and the IP
> addresses of the device won't route publicly through the firewall or any
> unknown alternate routes.

NAT for security is a bogus argument. NAT provides you nothing that a
simple stateful firewall provides[0]. The only reason a firewall is
"less idiot proof," is because NAT has such limited capabilities. People
may do more with a firewall simply because they can. If you want complex
rules, look at what happens to a NAT set up when you want to set up a 
few static mappings. That's asking for trouble.

For a firewall to hobble the hosts behind it like NAT does takes only
a few simple rules. NAT also takes considerably more resources than a
stateful firewall.

[0] The only bonus in NAT is for the truly paranoid who want to hide
their network topology.
Crist J. Clark                               [email protected]
Globalstar Communications                                (408) 933-4387

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.
If the reader of this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or
copying of this communication is strictly prohibited.  If you have
received this e-mail in error, please contact [email protected]