ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Why people by NATs

2004-11-24 00:51:08
from [Jeroen Massar] [Permanent Link] 
On Tue, 2004-11-23 at 19:02 -0500, Daniel Senie wrote:

At 06:00 PM 11/22/2004, Fred Baker wrote:

At 12:10 PM 11/22/04 -0800, Chris Palmer wrote:

There's another feature of NAT that is desirable that has not yet been
mentioned, and which at least some customers may be cognizant of: the
fact that NAT is a pretty restrictive firewall.


would that it were true. In fact, it is pretty easy to breech. All one has 
to do is ddos with a the right port prefix, observe a response of any 
kind, and you can ddos right through it.


I take it Cisco NAT implementations are not very well implemented then.


Well, in this case I can't blame Cisco, because NAT's are simply made to
be implemented well.


An actual stateful firewall is a good thing. NAT mostly has the effect of 
deluding the person behind it into thinking they have a security solution.


Stop there. Fred, I am sure you've read or written the code to implement:

a) a stateful inspection firewall

b) a NAPT implementation (what most folks think of when they talk about NAT).

The code is NEARLY identical. In fact, the lookup tables used just need an 
extra column to track some additional information.


That two tools both use bubblesort doesn't mean they fulfill the same
function. The same with a lookup table function.


Please stop with the argument that NAT and stateful inspection firewalls 
are different beasts.


They are very different. A tiger and a little pussy cat, which one do
you pet and take into your lap? Two different beast, though they look
the same...


 The software to implement them is basically 
identical. If you dislike NATs, say so, but this old argument about NAT 
boxes not providing security provided by stateful inspection firewalls is 
just not an honest one.


A NAT does not provide security as a NAT doesn't have any rules.

Also note that there is usually a _seperate_ firewall component in
common NAT boxes (and please don't call them routers as they are not)
this is the thing that gives the machine it's little bit of 'security',
not that anyone tinkers with the rules, thus keeping the box wide open.

Greets,
 Jeroen

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  IASA BCP Issue: Budgeting process and financial oversight, Bernard Aboba
Next by Date:  Re: IASA BCP Issue: Budgeting process and financial oversight, Harald Tveit Alvestrand
Previous by Thread:  Re: Why people by NATs, Daniel Senie
Next by Thread:  Re: Why people by NATs, JFC (Jefsey) Morfin
Indexes:  [Date] [Thread] [Top] [All Lists]