On Wed, Jul 02, 2003 at 08:48:27PM -0400, Chuck Swiger wrote:
> >>"Since NAT actually adds no security,
> >You're of the school that sez "what I tell you three times is true?"
> It worked for Dorothy, right? :-)
Well... If you only want to convince hillbillies it might be enough.
Actually NAT ma
On Thu, 3 Jul 2003, Clement Laforet wrote:
> Hi,
>
> On Wed, 2 Jul 2003 18:39:42 -0500 (CDT)
> Mike Silbersack <[EMAIL PROTECTED]> wrote:
>
> > > Comments? Suggestions? Vision?
> >
> > If you have some time to throw at the problem, you might consider
> > using gprof on natd in order to determ
Mike Silbersack wrote:
[ ... ]
Please explain this point more.
Say I have 1000 win 9x boxes connected to the internet with routable IPs
and no firewall. How will placing them behind a NAT box make them less
secure?
"man natd" suggests that you've just enabled IP spoofing for the LAN:
Y
Michael Sierchio wrote:
Chuck Swiger wrote:
[ ... ]
Security is an ill-defined concept. I prefer to think in terms
of mitigating risk.
Sure, that works for me.
In any case, deny_incoming offers some extra measure of security.
Does it? Serious question, as none of the connections deny_incoming ma
On Wed, 2 Jul 2003, Chuck Swiger wrote:
> By itself, NAT provides no benefit to security, and some implementations
> actually reduce the security of the system compared with not running NAT. Let
> me pull out a couple of quotes from various people:
Please explain this point more.
Say I have 10
Chuck Swiger wrote:
To the extent that "security" is a matter of opinion, I guess that's all
right: I'm not concerned if other people have different opinions than I do.
Security is an ill-defined concept. I prefer to think in terms
of mitigating risk.
In any case, deny_incoming offers some extra
On Wed, Jul 02, 2003 at 07:06:25PM -0400, Chuck Swiger wrote:
[...]
> By itself, NAT provides no benefit to security, and some implementations
> actually reduce the security of the system compared with not running NAT.
>
Our natd(8) contributes to security somewhat, by providing the
-deny_incom
Michael Sierchio wrote:
> Chuck Swiger wrote:
>
> >Many people are wrong, then. NAT is not a security feature.
>
> We simply disagree.
Puh-leaze. Not this discussion again. Can we stay on topic please?
--
Dean C. Strik Eindhoven University of Technology
[EMAIL PROTECTED] | [EMAI
Michael Sierchio wrote:
Chuck Swiger wrote:
Many people are wrong, then. NAT is not a security feature.
We simply disagree.
To the extent that "security" is a matter of opinion, I guess that's all right:
I'm not concerned if other people have different opinions than I do.
To the extent that secu
Hi,
On Wed, 2 Jul 2003 18:39:42 -0500 (CDT)
Mike Silbersack <[EMAIL PROTECTED]> wrote:
> > Comments? Suggestions? Vision?
>
> If you have some time to throw at the problem, you might consider
> using gprof on natd in order to determine what exactly about natd is
> slow. As is commonly mentioned
On Wed, 2 Jul 2003, Michael Sierchio wrote:
> Currently, performance w/divert sockets and natd in ipfirewall
> on a compute-bound platform (ELAN-133MHz) shows ipfw+natd throughput
> to be 50% of that offered by ipfilter+ipnat.
>
> Is there anything that can be done to speed up either the
> perfor
Chuck Swiger wrote:
Many people are wrong, then. NAT is not a security feature.
We simply disagree.
[ NAT sucks. In a very useful way, of course. Exogenous requirements
may impose unreasonable constraints upon implementing the technically
preferrable solution, just as "inept excess verbiage
Barney Wolff wrote:
On Wed, Jul 02, 2003 at 11:44:14AM -0700, Michael Sierchio wrote:
NAT is not a security feature,
Many would disagree with that assertion.
They would be wrong. Find a real security expert and ask.
Clearly that would not be you. Both static and dynamic (or "hide")
nat have secu
Michael Sierchio wrote:
Barney Wolff wrote:
NAT is not a security feature,
Many would disagree with that assertion.
Many people are wrong, then. NAT is not a security feature.
Check the list archives of <[EMAIL PROTECTED]>...
[ ... ]
If you believe you need to NAT at even 1Gb, I'd look
very hard
On Wed, Jul 02, 2003 at 11:44:14AM -0700, Michael Sierchio wrote:
> >NAT is not a security feature,
>
> Many would disagree with that assertion.
They would be wrong. Find a real security expert and ask.
...
> >But moving NAT into the kernel has great impact on kernel memory usage,
> >which ne
Barney Wolff wrote:
NAT is not a security feature,
Many would disagree with that assertion.
and should be used only where it is
actually necessary to translate addresses, and as far towards the edge
as possible.
This is typically where firewalls are found.
If you believe you need to NAT at even
On Wed, Jul 02, 2003 at 10:31:10AM -0700, Michael Sierchio wrote:
>
> Currently, performance w/divert sockets and natd in ipfirewall
> on a compute-bound platform (ELAN-133MHz) shows ipfw+natd throughput
> to be 50% of that offered by ipfilter+ipnat.
>
> Is there anything that can be done to spee
Currently, performance w/divert sockets and natd in ipfirewall
on a compute-bound platform (ELAN-133MHz) shows ipfw+natd throughput
to be 50% of that offered by ipfilter+ipnat.
Is there anything that can be done to speed up either the
performance of divert and natd? Alternatively, could network
ad
18 matches
Mail list logo
