As the administrator of several small networks, it is quite simple. By
re-writing the address, the NAT is a defacto default deny. I have a lot
more trust in the simplicity of a basic NAT in a consumer firewall then I
do in any firewall which has to examine each packet for conformance to
complex policy rules.
The re-writing of the address has nothing to do with the
security benefit of the box. Looking the incoming packet
up in a state table and forwarding (with re-write) the
packet if a match is found otherwise dropping / icmping it
is what provides the security.
Otherwise I could just loose source route around the NAT box.
It is much better to have a box that is designed to provide
security than it is to have a box that provides security
as a side effect. I'm sure you will find that there are
NAT boxes that you can use the loose source route trick to
bypass any perceived security benefits. NAT boxes have
different design goals to firewalls. They are designed to
translate addreses. LSR is also designed to translate
addreses. LSR and NAT are complementry technologies. One
is end initiated the other is done in the middle of the
network.
But, this misses the point I see in Phillips discussion... I read his
ultimate proposal as:
a. Stop bashing NAT, it provides value in the current network and
has prevented a total meltdown which would have happened if every
early OS were directly attached to the internet
People arn't bashing NAT. They are saying that NAT is not
a appropriate for solution in a IPv6 world. It adds a lot
more complexity than just a stateful firewall.
b. REPLACE NAT with a default deny infrastructure ... more than
just a single FW choke point.
On Mon, 2 Jul 2007, Melinda Shore wrote:
On 7/2/07 11:14 AM, "Hallam-Baker, Phillip"
<pbaker(_at_)verisign(_dot_)com> wrote:
There is no other device that can provide me with a lightweight firewall
for
$50.
Of course there is - the same device that's providing the NAT.
NAT by itself is intrinsically policy-free, although it implements
policy as a side-effect. I'm unclear on why you think that a
default-deny policy is better implemented on a NAT than on a
firewall.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews(_at_)isc(_dot_)org
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf