On Monday 04 June 2007 18:06, Owen DeLong wrote: > On Jun 4, 2007, at 1:41 PM, David Schwartz wrote: > >> On Jun 4, 2007, at 11:32 AM, Jim Shankland wrote: > >>> Owen DeLong <[EMAIL PROTECTED]> writes: > >>>> There's no security gain from not having real IPs on machines. > >>>> Any belief that there is results from a lack of understanding. > >>> > >>> This is one of those assertions that gets repeated so often people > >>> are liable to start believing it's true :-). > >> > >> Maybe because it _IS_ true. > >> > >>> *No* security gain? No protection against port scans from > >>> Bucharest? > >>> No protection for a machine that is used in practice only on the > >>> local, office LAN? Or to access a single, corporate Web site? > >> > >> Correct. There's nothing you get from NAT in that respect that > >> you do > >> not get from good stateful inspection firewalls. NONE whatsoever. > > > > Sorry, Owen, but your argument is ridiculous. The original > > statement was > > "[t]here's no security gain from not having real IPs on machines". If > > someone said, "there's no security gain from locking your doors", > > would you > > refute it by arguing that there's no security gain from locking > > your doors > > that you don't get from posting armed guards round the clock? > > Except that's not the argument. The argument would map better to: > > There's no security gain from having a screen door in front of your > door with a lock and dead-bolt on it that you don't get from a door > with a lock and dead-bolt on it. > > I posit that a screen door does not provide any security. A lock and > deadbolt provide some security. NAT/PAT is a screen door. > Not having public addresses is a screen door. A stateful inspection > firewall is a lock and deadbolt. > > Owen
To add to that: Need I remind those of us who see NAT as some sort of firewall?: NAT is Network Address Translation, and is designed to be for only providing a source of private IP addressing.. it wasn't designed to be a "protection" - it's just a side effect that it does offers any protection at all. People may get lucky because their NAT may check from which interface traffic comes in on (which is a form of inspection, thus indicates a presense of a firewall). But without any sort of packet inspection, someone could trick your NAT into thinking a connection was open when it was not, thus opening a connection to a system on your NAT (that is probably unfirewalled in itself). Or another example: a third party finds out a system on your NAT has a connection open to a host on the internet, so the third party wedges their own foriged packets into the connection, and a NAT without inspection will just foreward it to the internal host without batting an eye.
