On Oct 30, 2010, at 3:29 AM, S.P.Zeidler wrote: > Thus wrote Keith Moore ([email protected]): > >> it's the idea that you need to NAT all or most of your hosts for security >> reasons that is fatally flawed. > > No, I don't need to NAT for security reasons, I need to restrict the > network exchanges that may happen with un-hardened hosts for security > reasons. The result is that NAT+firewall rules does not give any less > connectivity than the firewall rules alone.
For your firewall, and for your policies, today. This falls apart as soon as you have a need to let any of your hosts inside the NAT run an application for which NAT interferes. You might think it won't happen, but the usage of the Internet keeps changing, people keep finding new ways to use it. It strikes me as shortsighted to design a network in such a way that it impairs (by design rather than policy) the use of potentially valuable applications. And you might say that if such an app appears, that you can set up a separate subnet for the hosts that need to run that app. But you don't know where that app needs to live on your network, nor how many hosts it needs to run on. Such a solution might suffice or it might not. You can of course do as you think best with your own network. But IETF needs to be more farsighted than that. > Adding NAT on top of the security measures that need to be there anyway does > not lessen the amount of connectivity these squishy hosts get, but it -may- > improve it. NAT -will- impair the flexibility of your network to support applications. NAT -will- impair your ability to adapt your security policy enforcement to suit your future needs. Usually, having a less flexible enforcement mechanism does not improve your security, but rather degrades it, as you're forced to relax your security enforcement more than you would otherwise like to do. Keith _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
