When you all say NAT, are you implying PAT as well? 1 to 1 NAT really provides no security. But with PAT, different story. Are there poor implementations of PAT that don't enforce an exact port/address match for the translation table? If the translation table isn't at fault, are the 'helpers' that allow ftp to work passively to blame?
Chuck -----Original Message----- From: Doug Barton [mailto:do...@dougbarton.us] Sent: Sunday, November 13, 2011 4:49 PM To: Phil Regnauld Cc: nanog@nanog.org Subject: Re: Arguing against using public IP space On 11/13/2011 13:27, Phil Regnauld wrote: > That's not exactly correct. NAT doesn't imply firewalling/filtering. > To illustrate this to customers, I've mounted attacks/scans on > hosts behind NAT devices, from the interconnect network immediately > outside: if you can point a route with the ext ip of the NAT device > as the next hop, it usually just forwards the packets... Have you written this up anywhere? It would be absolutely awesome to be able to point the "NAT IS A SECURITY FEATURE!!!" crowd to an actual demonstration of why it isn't. Doug -- "We could put the whole Internet into a book." "Too practical." Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/
