Re: [fw-wiz] Internet accessible screened subnet - use public orprivate IPs?

From: Marcus J. Ranum (mjr_at_ranum.com)
Date: 07/26/05

  • Next message: Marcus J. Ranum: "RE: [fw-wiz] Internet accessible screened subnet - use public orprivateIPs?" 
    To: Victor Williams <vbwilliams@neb.rr.com>, David Lang <david.lang@digitalinsight.com>
Date: Mon, 25 Jul 2005 21:40:57 -0400

    Victor Williams wrote:
    >The whole reason NAT was implemented was because of a very finite (and quickly running out supply, dependending on who you ask) number of publicly routable IP addresses.

    Actually, it wasn't. That was something on the horizon, but at the time when
    we first started selling firewalls IP addresses were still fairly easy to get.

    The first firewalls I built offered NAT (inherent in the design and then later via
    "Proxy transparency" in Gauntlet) because a lot of the early firewall customers
    had IP address ranges that they had picked out of a hat. Only a very few
    sophisticated customers had internal routing. A lot of Sun customers were
    using Sun's address range because that's what SunOS' install offered as a
    default suggestion.

    So, you have a FORTUNE-big firm that just plunked down $75,000 for
    an Internet gateway. Your choice is: re-address their network or NAT
    their traffic. Hmmmm... Let me think about that...

    It also didn't hurt that back in those days most customers actually were
    more concerned with security than they are now. So, when you explained
    to them that there was no IP routed between their network and the
    Internet, and that the firewall represented a controlled topological gateway
    between 2 incompatible networks, they "got it." Of course most of those
    old-school security admins have long since been overruled, outmaneuvered,
    and moved into other chains of command so that they no longer
    Impede Progress.

    mjr.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Marcus J. Ranum: "RE: [fw-wiz] Internet accessible screened subnet - use public orprivateIPs?"

    Relevant Pages

    • Re: 56k dial up on laptop 802.11G ?
      ... Firewalls can also filter specific types of network traffic. ... Let's knock the NAT out of the box. ...
      (alt.internet.wireless)
    • Re: NAT is not a mechanism for securing a network.. but.. HELP!
      ... >> one of their firewalls). ... >> But there was one claim that sounded like a serious problem for NAT ... >> device opens a port by putting it in the NAT table, ... way into the network? ...
      (comp.security.firewalls)
    • Re: any suggestion for a good hardware firewall
      ... Besides being ICSA-certified firewalls, they ... > most certainly do much more than NAT. ... multiple subnets on each LAN or DMZ port - you would use something like ... this in between the Plant Floor network and the Business Office network, ...
      (comp.security.firewalls)
    • Re: Linksys hardware firewall enough...?
      ... >> network with one of those NAT systems and it gets compromised. ... I would never consider trying to break into a network that I was not ... them that the devices marketed as firewalls, that are only NAT Routers ...
      (comp.security.firewalls)
    • RE: [fw-wiz] UPS Worldship connection problems with new firewall device
      ... I don't have any experience with the specific firewalls mentioned, ... First about the .exe requirements mentioned by UPS. ... what rule when the software attempts to connect to the UPS network. ... WorldShip allows customers to ...
      (Firewall-Wizards)