On Tue, 2004-11-23 at 19:02 -0500, Daniel Senie wrote: > At 06:00 PM 11/22/2004, Fred Baker wrote: > >At 12:10 PM 11/22/04 -0800, Chris Palmer wrote: > >>There's another feature of NAT that is desirable that has not yet been > >>mentioned, and which at least some customers may be cognizant of: the > >>fact that NAT is a pretty restrictive firewall. > > > >would that it were true. In fact, it is pretty easy to breech. All one has > >to do is ddos with a the right port prefix, observe a response of any > >kind, and you can ddos right through it. > > I take it Cisco NAT implementations are not very well implemented then. Well, in this case I can't blame Cisco, because NAT's are simply made to be implemented well. > >An actual stateful firewall is a good thing. NAT mostly has the effect of > >deluding the person behind it into thinking they have a security solution. > > Stop there. Fred, I am sure you've read or written the code to implement: > > a) a stateful inspection firewall > > b) a NAPT implementation (what most folks think of when they talk about NAT). > > The code is NEARLY identical. In fact, the lookup tables used just need an > extra column to track some additional information. That two tools both use bubblesort doesn't mean they fulfill the same function. The same with a lookup table function. > Please stop with the argument that NAT and stateful inspection firewalls > are different beasts. They are very different. A tiger and a little pussy cat, which one do you pet and take into your lap? Two different beast, though they look the same... > The software to implement them is basically > identical. If you dislike NATs, say so, but this old argument about NAT > boxes not providing security provided by stateful inspection firewalls is > just not an honest one. A NAT does not provide security as a NAT doesn't have any rules. Also note that there is usually a _seperate_ firewall component in common NAT boxes (and please don't call them routers as they are not) this is the thing that gives the machine it's little bit of 'security', not that anyone tinkers with the rules, thus keeping the box wide open. Greets, Jeroen
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf