Re: ISPs can easily decrease net abuse

From: Melinda Shore (shore_at_panix.com)
Date: 12/07/03


Date: 7 Dec 2003 15:46:55 -0500

In article <MPG.1a3d55ca933ee78989efb@news-server.columbus.rr.com>,
Leythos <void@nowhere.com> wrote:
>So, let me get this understood - you are staying that it's more secure
>for a person to have a standard Windows based computer directly
>connected to the internet than it is to have it behind a router
>utilizing NAT (or PAT)??????

I'm saying that it's more secure to be behind a firewall and
to secure your applications than it is to use a NAT to
provide firewalling functions. 'Tain't that complicated.
Worse, if you're behind a NAT and you want to start using
applications that assume reachability, whether it's
peer-to-peer apps, videoconferencing, and so on, you're
going to need to rely on technologies that introduce
security holes that wouldn't exist if you didn't have a NAT
there in the first place. This is a well-understood
problem in many quarters.

Bob Frankston, who's one of the inventors of NAT, says that
NAT is one of the biggest mistakes he made
(http://wifinetnews.com/archives/001828.html).

Microsoft's Jawad Khaki is on the road complaining loudly
about NAT - he sees it as an impediment to Microsoft being
able to sell new services, and he's right. Time after time
after time I've seen people sit down to try to figure out
how to get their stuff to work across a NAT and be
transformed into foaming-at-the-mouth NAT haters because
it's really not possible to do it securely, efficiently, and
robustly. NAT doesn't make your network more secure, it
makes it less secure, and it makes your network far less
valuable by putting artificial limits on what you can do
with it. You've been sold a bill of goods by people who
profit specifically from the putative scarcity of IPv4
addresses.

-- 
     Melinda Shore - Software longa, hardware brevis - shore@panix.com
            Bad taste is better than no taste -- Arnold Bennett


Relevant Pages

  • Re: NAT Secure?
    ... >>> NAT secure from internet attack? ... It may 'compliment' a firewall (packet ... Now, depending on that web server, it could be ...
    (comp.security.firewalls)
  • Re: NAT Secure?
    ... >> NAT secure from internet attack? ... NAT itself is not a firewall. ... if you're running say a web server on port 80 and someone ...
    (comp.security.firewalls)
  • Re: Systems behind NAT - port scanning etc.
    ... > it means to have a secure connection from here to there. ... was about how nat doesn't inherit security. ... or a QoS signaling protocol that didn't allow you ...
    (comp.security.firewalls)
  • Re: NAT Secure?
    ... It appears that when setting up the local IPs, ... >NAT secure from internet attack? ... but what port? ...
    (comp.security.firewalls)
  • Re: ISPs can easily decrease net abuse
    ... "more secure forms of NAT" were never to appear again. ... If you want a firewall, ... Bad taste is better than no taste -- Arnold Bennett ...
    (comp.security.misc)