Date: Wed, 29 Mar 2000 23:02:26 +0930 From: Randy Bush <randy@psg.com> To: "Brian O'Shea" <boshea@ricochet.net> Cc: freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. Message-ID: <E12aIaA-0001yj-00@roam.psg.com> References: <20000328113534.W330@beastie.localdomain> <Pine.BSF.4.05.10003281436440.3162-100000@kronos.networkrichmond.com> <E12a411-0001UE-00@roam.psg.com> <20000328145615.B330@beastie.localdomain>
next in thread | previous in thread | raw e-mail | index | archive | help
>>> NAT will effectively protect the boxes on your network. >> how? firewalls protect. nat merely translates addresses. > Correct. And since there is no way for machines outside of my local > network to know what internal addresses are being translated by my > router, there is no way to address them from outside. nats kindly create and generate the mappings for he attacker. > Even if these addresses are known, there is no route to them from the > internet; there are routes to the addresses to which nat translates them. > they are reserved for use by private networks: > <http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1918.txt>; wow! what an exciting rfc! </sarcasm> i am sitting next to three rather reknown security folk at the iesg/iab breakfast here at the adelaide ieft. quote one whose book you probably read "NATs per se provide little security. They can, however, be used as one component of a firewall, which does provide some security." randy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E12aIaA-0001yj-00>