[LINK] www.ipv6.org.au/summit
Karl Auer
kauer at biplane.com.au
Sun Aug 31 15:30:38 AEST 2008
On Sun, 2008-08-31 at 13:40 +1000, Jon Seymour wrote:
> In most homes, the packet filter that protects the machines in that
> network from unsolicited inbound traffic *is* the packet filter
> implemented by the NAT device and so this is why is it undeniable that
> NAT provides a net security benefit, as compared to, say, unfiltered
> dialup connections.
As I wrote in my earlier message:
"None of this means that those NAT devices in every home are useless
from a security point of view. The "unintended consequence" that they
provide is valuable. But it isn't NAT that you need - it's the packet
filtering side effect, and you can have that *without* NAT."
In other words, I agree with you that those devices have a security
benefit. But it's not the NAT that we need, at least not from a security
point of view.
By way of analogy, I keep lots of stuff on top of my front-loading
washing machine - detergents, pegs and so on. However, the reason I have
the washing machine is to wash things. The storage space on top of it is
a coincidental side effect. A shelf could do the job better and would be
simpler and cheaper. As long as the machine is there, it makes sense to
store stuff on it; it does provide some small storage benefit. NAT
provides a security benefit in the same way that a front-loading washing
machine provides a storage benefit.
Perhaps my point would be better stated as "NAT provides no security
benefit that cannot be obtained from a simple packet filter".
Regards, K.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au) +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/ +61-428-957160 (mob)
GPG fingerprint: DD23 0DF3 2260 3060 7FEC 5CA8 1AF6 D9E3 CFEE 6B28
Public key at : random.sks.keyserver.penguin.de
More information about the Link
mailing list