On Sun, 16 Jan 2011 00:12:26 -0500
Jim Gettys j...@freedesktop.org wrote:
On 01/15/2011 06:30 PM, Mark Smith wrote:
On Sat, 15 Jan 2011 18:06:06 -0500 (EST)
Brandon Rossbr...@pobox.com wrote:
On Sat, 15 Jan 2011, Brian Keefer wrote:
Actually there are a couple very compelling
On 01/16/2011 03:00 AM, Mark Smith wrote:
Can we *please* stop this pointless thread?
I don't think it pointless to network operators - NAT or not has
operational impacts on troubleshooting, network design, addressing plans
etc. I understand you aren't a network operator, so if you're not
On 01/15/2011 11:06 PM, Stephen Davis wrote:
I'm a full supported for getting rid of NAT when deploying IPv6, but
have to say the alternative is not all that great either.
Because what do people want, they want privacy, so they use the
IPv6 privacy extensions. Which are enabled by default on
On 01/15/2011 02:01 AM, George Bonser wrote:
From: William Herrin
Sent: Friday, January 14, 2011 4:11 PM
To: nanog@nanog.org
Subject: Re: Is NAT can provide some kind of protection?
On Fri, Jan 14, 2011 at 2:43 PM, Owen DeLong o...@delong.com wrote:
Ah, but, the point here is that NAT
On 1/15/11 1:24 PM, Leen Besselink wrote:
I'm a full supported for getting rid of NAT when deploying IPv6, but
have to say the alternative is not all that great either.
Because what do people want, they want privacy, so they use the
IPv6 privacy extensions. Which are enabled by default on
On 01/15/2011 03:01 PM, Joel Jaeggli wrote:
On 1/15/11 1:24 PM, Leen Besselink wrote:
I'm a full supported for getting rid of NAT when deploying IPv6, but
have to say the alternative is not all that great either.
Because what do people want, they want privacy, so they use the
IPv6 privacy
On Jan 15, 2011, at 6:01 AM, Joel Jaeggli wrote:
On 1/15/11 1:24 PM, Leen Besselink wrote:
I'm a full supported for getting rid of NAT when deploying IPv6, but
have to say the alternative is not all that great either.
Because what do people want, they want privacy, so they use the
IPv6
On Jan 12, 2011, at 9:21 AM, George Bonser wrote:
I'd eat a hat if a vendor didn't implement a PAT equivalent. It's
demanded too much. There is money for it, so it will be there.
Jack
Yeah, I think you are right. But in really thinking about it, I wonder
why. The whole point of PAT
On Sat, Jan 15, 2011 at 4:16 PM, Brian Keefer ch...@smtps.net wrote:
1.) Allows you to redirect a privileged port (on UNIX) to a
non-privileged port. For daemons that don't implement some
form of privilege revoking after binding to a low port (and/or aren't
allowed to run as root), this is
On Jan 15, 2011, at 1:16 PM, Brian Keefer wrote:
On Jan 12, 2011, at 9:21 AM, George Bonser wrote:
I'd eat a hat if a vendor didn't implement a PAT equivalent. It's
demanded too much. There is money for it, so it will be there.
Jack
Yeah, I think you are right. But in really
I'm a full supported for getting rid of NAT when deploying IPv6, but
have to say the alternative is not all that great either.
Because what do people want, they want privacy, so they use the
IPv6 privacy extensions. Which are enabled by default on Windows
when IPv6 is used on XP, Vista and
On Sat, 15 Jan 2011, Brian Keefer wrote:
Actually there are a couple very compelling reasons why PAT will
probably be implemented for IPv6:
You are neglecting the most important reason, much to my own disdain.
Service providers will continue to assign only a single IP address to
residential
On Jan 15, 2011, at 3:06 PM, Brandon Ross wrote:
On Sat, 15 Jan 2011, Brian Keefer wrote:
Actually there are a couple very compelling reasons why PAT will probably be
implemented for IPv6:
You are neglecting the most important reason, much to my own disdain. Service
providers will
On Sat, 15 Jan 2011, Owen DeLong wrote:
I really doubt this will be the case in IPv6.
I really hope you are right, because I don't want to see that either,
however...
Why do you suppose they did that before with IPv4? Sure you can make the
argument NOW that v4 is in scarce supply, but 10
On Sat, 15 Jan 2011 18:06:06 -0500 (EST)
Brandon Ross br...@pobox.com wrote:
On Sat, 15 Jan 2011, Brian Keefer wrote:
Actually there are a couple very compelling reasons why PAT will
probably be implemented for IPv6:
You are neglecting the most important reason, much to my own disdain.
On 1/15/11 3:24 PM, Brandon Ross wrote:
On Sat, 15 Jan 2011, Owen DeLong wrote:
I really doubt this will be the case in IPv6.
I really hope you are right, because I don't want to see that either,
however...
Why do you suppose they did that before with IPv4? Sure you can make
the argument
On Sun, 16 Jan 2011, Mark Smith wrote:
How do you know - have you asked 100% of the service providers out
there and they've said unanimously that they're only going to supply a
single IPv6 address?
Huh? Who said anything about 100%? It would take only a single
reasonably sized provider
On Sat, Jan 15, 2011 at 06:24:01PM -0500, Brandon Ross wrote:
On Sat, 15 Jan 2011, Owen DeLong wrote:
I really doubt this will be the case in IPv6.
I really hope you are right, because I don't want to see that either,
however...
Why do you suppose they did that before with IPv4? Sure
-Original Message-
From: Mark Smith
[mailto:na...@85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org]
Sent: Saturday, January 15, 2011 5:30 PM
To: Brandon Ross
Cc: NANOG list
Subject: Re: Is NAT can provide some kind of protection?
On Sat, 15 Jan 2011 18:06:06 -0500 (EST)
Brandon Ross br
On Jan 15, 2011, at 3:30 PM, Mark Smith wrote:
On Sat, 15 Jan 2011 18:06:06 -0500 (EST)
Brandon Ross br...@pobox.com wrote:
On Sat, 15 Jan 2011, Brian Keefer wrote:
Actually there are a couple very compelling reasons why PAT will
probably be implemented for IPv6:
You are neglecting
On Jan 15, 2011, at 3:24 PM, Brandon Ross wrote:
On Sat, 15 Jan 2011, Owen DeLong wrote:
I really doubt this will be the case in IPv6.
I really hope you are right, because I don't want to see that either,
however...
Why do you suppose they did that before with IPv4? Sure you can
...@85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org]
Sent: Saturday, January 15, 2011 5:30 PM
To: Brandon Ross
Cc: NANOG list
Subject: Re: Is NAT can provide some kind of protection?
On Sat, 15 Jan 2011 18:06:06 -0500 (EST)
Brandon Ross br...@pobox.com wrote:
On Sat, 15 Jan 2011, Brian Keefer
On Sat, 15 Jan 2011 18:39:09 -0500 (EST)
Brandon Ross br...@pobox.com wrote:
On Sun, 16 Jan 2011, Mark Smith wrote:
How do you know - have you asked 100% of the service providers out
there and they've said unanimously that they're only going to supply a
single IPv6 address?
Huh? Who
On Sat, 15 Jan 2011 18:21:52 -0600
Frank Bulk frnk...@iname.com wrote:
I hope the engineers in the organization will just tell their marketing folk
that it's not possible to hand out just one IPv6 address. Our hardware
doesn't support it.
I think there's still room for ISPs to charge
On 01/15/2011 06:30 PM, Mark Smith wrote:
On Sat, 15 Jan 2011 18:06:06 -0500 (EST)
Brandon Rossbr...@pobox.com wrote:
On Sat, 15 Jan 2011, Brian Keefer wrote:
Actually there are a couple very compelling reasons why PAT will
probably be implemented for IPv6:
You are neglecting the most
On Jan 15, 2011, at 8:03 PM, Mark Smith wrote:
On Sat, 15 Jan 2011 18:21:52 -0600
Frank Bulk frnk...@iname.com wrote:
I hope the engineers in the organization will just tell their marketing folk
that it's not possible to hand out just one IPv6 address. Our hardware
doesn't support it.
On 1/13/2011 10:50 PM, Douglas Otis wrote:
Unfortunately, a large number of web sites have been compromised, where
an unseen iFrame might be included in what is normally safe content. A
device accessing the Internet through a NATs often creates opportunities
for unknown sources to reach the
On Thu, Jan 13, 2011 at 11:50 PM, Douglas Otis do...@mail-abuse.org wrote:
Unfortunately, a large number of web sites have been compromised, where an
unseen iFrame might be included in what is normally safe content. A device
accessing the Internet through a NATs often creates opportunities for
On Jan 14, 2011, at 6:24 AM, William Herrin wrote:
On Thu, Jan 13, 2011 at 11:50 PM, Douglas Otis do...@mail-abuse.org wrote:
Unfortunately, a large number of web sites have been compromised, where an
unseen iFrame might be included in what is normally safe content. A device
accessing the
On 1/14/2011 1:43 PM, Owen DeLong wrote:
Ah, but, the point here is that NAT actually serves as an enabling
technology for part of the attack he is describing. Another example
where NAT can and is a security negative. The fact that you refuse
to acknowledge these is exactly what you were
On 1/14/11 11:49 AM, Jack Bates wrote:
On 1/14/2011 1:43 PM, Owen DeLong wrote:
Ah, but, the point here is that NAT actually serves as an enabling
technology for part of the attack he is describing. Another example
where NAT can and is a security negative. The fact that you refuse
to
On Fri, Jan 14, 2011 at 2:43 PM, Owen DeLong o...@delong.com wrote:
Ah, but, the point here is that NAT actually serves as an enabling
technology for part of the attack he is describing.
Hi Owen,
Doug's comments on that were pretty abstract, so let me try to ground
it a little bit. He
From: William Herrin
Sent: Friday, January 14, 2011 4:11 PM
To: nanog@nanog.org
Subject: Re: Is NAT can provide some kind of protection?
On Fri, Jan 14, 2011 at 2:43 PM, Owen DeLong o...@delong.com wrote:
Ah, but, the point here is that NAT actually serves as an enabling
technology
On 1/14/11 4:10 PM, William Herrin wrote:
On Fri, Jan 14, 2011 at 2:43 PM, Owen DeLongo...@delong.com wrote:
Ah, but, the point here is that NAT actually serves as an enabling
technology for part of the attack he is describing.
As for strictly passive attacks, like the so-called drive by
On 1/12/2011 9:33 PM, Owen DeLong wrote:
If you are proxying everything, then, there isn't any actual NAT. There are
inside sessions and outside sessions.
Depends on the proxy mechanism used. In a transparent firewall proxy
layout, it generally is still considered NAT. The proxy capabilities
On Jan 13, 2011, at 9:59 AM, Jack Bates wrote:
The proxy capabilities of the firewall are additional security measures on
top of the NAT (and definitely should be deployed for their higher security
value).
Not in front of servers, they shouldn't - because they have a negative security
On 1/13/2011 10:54 AM, Dobbins, Roland wrote:
Not in front of servers, they shouldn't - because they have a negative security
value in that context.
I agree. Any content checks and reporting should be handled by the
server and not a firewall proxy which might have it's own security
On Thu, Jan 13, 2011 at 11:54 AM, Dobbins, Roland rdobb...@arbor.net wrote:
On Jan 13, 2011, at 9:59 AM, Jack Bates wrote:
The proxy capabilities of the firewall are additional security
measures on top of the NAT (and definitely should be
deployed for their higher security value).
Not in
On Thu, Jan 13, 2011 at 1:11 PM, Jack Bates jba...@brightok.net wrote:
On 1/13/2011 11:56 AM, William Herrin wrote:
So all the folks who use reverse proxies like an http accellerator are
wrong?
They have their purpose. However, depending on the security rating of the
accelerator versus the
On Wednesday, January 12, 2011 12:01:27 pm George Bonser wrote:
With v4 PAT, you can not
be sure which address/port on the external IP maps to which address/port
on the inside IP at any given moment and PAT is stateful in that an
outbound packet is required to start the mapping.
On Cisco at
On Wednesday, January 12, 2011 12:16:27 pm valdis.kletni...@vt.edu wrote:
140 million compromised PC's, most of them behind a NAT, can't be wrong. :)
How many more would there be if most PC's were not behind NAT or stateful
firewalling?
Or, to turn it on its ear, Windows is the best OS; 250
On Wednesday, March 21, 2007 05:41:00 am Tarig Ahmed wrote:
Is it true that NAT can provide more security?
Blast from the past
Whew, is there any subject more guaranteed to cause a long thread than this? :-)
I have some ideas on this; there are some creative manglings one can do with
NAT
On Jan 13, 2011, at 11:44 AM, Lamar Owen wrote:
On Wednesday, January 12, 2011 12:16:27 pm valdis.kletni...@vt.edu wrote:
140 million compromised PC's, most of them behind a NAT, can't be wrong. :)
How many more would there be if most PC's were not behind NAT or stateful
firewalling?
On Wednesday, January 12, 2011 03:50:28 pm Owen DeLong wrote:
That's simply not true. Every end user running NAT is running a stateful
firewall with a default inbound deny.
This is demonstrably not correct. Even in the case of dynamic overloaded NAT,
at least on Cisco, there is no
On Jan 13, 2011, at 1:21 PM, Lamar Owen wrote:
On Wednesday, January 12, 2011 03:50:28 pm Owen DeLong wrote:
That's simply not true. Every end user running NAT is running a stateful
firewall with a default inbound deny.
This is demonstrably not correct. Even in the case of dynamic
On Thursday, January 13, 2011 04:32:17 pm Owen DeLong wrote:
No match, no rewrite, no forward.
This is what you're missing; 'no rewrite' does not mean 'no forward'.
Non-rewritten packets along with the rewritten *are* forwarded to routing; in a
firewall they're not forwarded to routing. What
On Wed, Jan 12, 2011 at 10:02 PM, Mark Andrews ma...@isc.org wrote:
In message aanlktikixf_mbuo-oskpjsw98vn5_d5wznui_pl37...@mail.gmail.com,
William
Herrin writes:
There's actually a large difference between something that's
impossible for a technology to do (even in theory), something that
On Jan 13, 2011, at 5:48 PM, William Herrin wrote:
On Wed, Jan 12, 2011 at 10:02 PM, Mark Andrews ma...@isc.org wrote:
In message aanlktikixf_mbuo-oskpjsw98vn5_d5wznui_pl37...@mail.gmail.com,
William
Herrin writes:
There's actually a large difference between something that's
impossible
On 1/13/11 5:48 PM, William Herrin wrote:
On Wed, Jan 12, 2011 at 10:02 PM, Mark Andrewsma...@isc.org wrote:
In messageaanlktikixf_mbuo-oskpjsw98vn5_d5wznui_pl37...@mail.gmail.com,
William
Herrin writes:
There's actually a large difference between something that's
impossible for a
We have wide range of Public IP addresses, I tried to assign public ip
directly to a server behined firewall( in DMZ), but I have been
resisted.
Security guy told me is not correct to assign public ip to a server,
it should have private ip for security reasons.
Is it true that NAT can
On 21/03/2007 09:41, Tarig Ahmed wrote:
Is it true that NAT can provide more security?
No.
Your security person is probably confusing NAT with firewalling, as NAT
devices will intrinsically do firewalling of various forms, sometimes
stateful, sometimes not. Stateful firewalling _may_
In fact our firewall is stateful.
This is why I thought, we no need to Nat at least our servers.
Tarig Yassin Ahmed
On Jan 12, 2011, at 4:59 PM, Nick Hilliard n...@foobar.org wrote:
On 21/03/2007 09:41, Tarig Ahmed wrote:
Is it true that NAT can provide more security?
No.
Your security
On 3/21/2007 6:25 AM, Tarig Ahmed wrote:
In fact our firewall is stateful.
This is why I thought, we no need to Nat at least our servers.
Tarig Yassin Ahmed
On Jan 12, 2011, at 4:59 PM, Nick Hilliard n...@foobar.org wrote:
On 21/03/2007 09:41, Tarig Ahmed wrote:
Is it true that NAT can
On 01/12/2011 02:59 PM, Nick Hilliard wrote:
On 21/03/2007 09:41, Tarig Ahmed wrote:
Is it true that NAT can provide more security?
No.
[snip]
Your security guy will probably say that a private IP address will
give better protection because it's not reachable on the internet.
But the
+1 on Nick's comment. If you're doing 1:1 NAT or port forwarding your server is
still public facing.
If your firewall is merely stateful and not deep packet inspecting all it's
doing is seeing is that the statefulness of the connection meets it's
requirements. You could have that and still
Is it true that NAT can provide more security?
Thanks,
Tarig Yassin Ahmed
You are going to get different answers from different people. In and of
itself it doesn't provide security but it does place one more layer of
difficulty in getting at your internal machines. On the other hand,
On 12/01/2011 01:17 p.m., George Bonser wrote:
But your security person needs to shift their thinking because the
purpose of NAT and private addressing is to conserve IP address, not to
provide security. With IPv6, the concept of NAT goes away.
You have heard about NAT66, right?
Thanks,
Tell your security guy he should be looking for another job.
On 21/03/2007, at 8:41 PM, Tarig Ahmed tariq198...@hotmail.com wrote:
We have wide range of Public IP addresses, I tried to assign public ip
directly to a server behined firewall( in DMZ), but I have been resisted.
Security guy
-Original Message-
From: Fernando Gont [mailto:fernando.gont.netbook@gmail.com] On
Behalf Of Fernando Gont
Sent: Wednesday, January 12, 2011 8:54 AM
To: George Bonser
Cc: Tarig Ahmed; nanog@nanog.org
Subject: Re: Is NAT can provide some kind of protection?
On 12/01/2011 01
On Wed, Mar 21, 2007 at 5:41 AM, Tarig Ahmed tariq198...@hotmail.com wrote:
We have wide range of Public IP addresses, I tried to assign public ip
directly to a server behined firewall( in DMZ), but I have been resisted.
Security guy told me is not correct to assign public ip to a server, it
On 1/12/2011 11:01 AM, George Bonser wrote:
NAT66 is just
straight static NAT that maps one prefix to a different prefix.
I'd eat a hat if a vendor didn't implement a PAT equivalent. It's
demanded too much. There is money for it, so it will be there.
Jack
On 3/21/07 2:41 AM, Tarig Ahmed wrote:
Is it true that NAT can provide more security?
No.
However, some things like PCI compliance require NAT, likely because of
the NAT = super hacker firewall concept.
~Seth
On Wed, 12 Jan 2011 16:01:15 +0100, =?ISO-8859-1?Q?Lor=E1nd_Jakab?= said:
This setup will provide *less* security. Apart from the DoS scenario,
should your public facing server get compromised, you have given easy
access to your private infrastructure.
If a public server behind a NAT gets
I'd eat a hat if a vendor didn't implement a PAT equivalent. It's
demanded too much. There is money for it, so it will be there.
Jack
Yeah, I think you are right. But in really thinking about it, I wonder
why. The whole point of PAT was address conservation. You don't need
that with
On 1/12/2011 11:16 AM, valdis.kletni...@vt.edu wrote:
140 million compromised PC's, most of them behind a NAT, can't be wrong. :)
And yet blaster type worms are less common now, and I still get the
occasional reinfection reported where a computer shop installs XP
pre-patch with a public IP.
On 1/12/2011 11:21 AM, George Bonser wrote:
PAT makes little sense to me for v6, but I suspect you are correct. In
addition, we are putting the fire suit on each host in addition to the
firewall. Kernel firewall rules on each host for the *nix boxen.
As my corp IT guy put it to me, PAT
And yet blaster type worms are less common now, and I still get the
occasional reinfection reported where a computer shop installs XP pre-patch
with a public IP. A simple stateful firewall or NAT router would stop that and
allow them to finish patching the OS. There is always a new attack
On Wed, Jan 12, 2011 at 9:36 AM, Jack Bates jba...@brightok.net wrote:
As my corp IT guy put it to me, PAT forces a routing disconnect between
internal and external. There is no way to reach the hosts without the
firewall performing it's NAT function.
But that's not true. If you have NAT,
On 1/12/2011 11:52 AM, Nathan Eisenberg wrote:
I'd argue that the above has everything to do with firewalling, and nothing to
do with NAT.
I agree, but both effectively handle the job. My point is that just
because we have lots of infections behind NAT, doesn't mean that NAT (or
a
On 1/12/2011 11:57 AM, Steven Kurylo wrote:
Some benefit? Yes. Enough benefit to be worth the trouble? I
personally am not convinced.
Some people believe it is. Who am I to tell them how to run their
network? They block facebook and yahoo. I, unfortunately, can't. :)
Considering the
On Jan 12, 2011, at 8:54 AM, Fernando Gont wrote:
On 12/01/2011 01:17 p.m., George Bonser wrote:
But your security person needs to shift their thinking because the
purpose of NAT and private addressing is to conserve IP address, not to
provide security. With IPv6, the concept of NAT goes
On Jan 12, 2011, at 9:07 AM, Jack Bates wrote:
On 1/12/2011 11:01 AM, George Bonser wrote:
NAT66 is just
straight static NAT that maps one prefix to a different prefix.
I'd eat a hat if a vendor didn't implement a PAT equivalent. It's demanded
too much. There is money for it, so it
On Jan 12, 2011, at 9:04 AM, William Herrin wrote:
On Wed, Mar 21, 2007 at 5:41 AM, Tarig Ahmed tariq198...@hotmail.com wrote:
We have wide range of Public IP addresses, I tried to assign public ip
directly to a server behined firewall( in DMZ), but I have been resisted.
Security guy told me
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, Jan 12, 2011 at 11:09 AM, Owen DeLong o...@delong.com wrote:
No, NAT doesn't provide additional security. The stateful inspection that
NAT cannot operate without provides the security. Take away the
address mangling and the stateful
On Wed, Mar 21, 2007 at 2:41 AM, Tarig Ahmed tariq198...@hotmail.com wrote:
We have wide range of Public IP addresses, I tried to assign public ip
directly to a server behined firewall( in DMZ), but I have been resisted.
Security guy told me is not correct to assign public ip to a server, it
There is a least one situation where NAT *does* provide a small amount of
necessary security.
Try this at home, with/without NAT:
1. Buy a new PC with Windows installed
2. Install all security patches needed since the OS was installed
Without NAT, you're unpatched PC will get infected in
On Jan 12, 2011, at 9:36 AM, Jack Bates wrote:
On 1/12/2011 11:21 AM, George Bonser wrote:
PAT makes little sense to me for v6, but I suspect you are correct. In
addition, we are putting the fire suit on each host in addition to the
firewall. Kernel firewall rules on each host for the *nix
On Jan 12, 2011, at 11:21 AM, Paul Ferguson wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, Jan 12, 2011 at 11:09 AM, Owen DeLong o...@delong.com wrote:
No, NAT doesn't provide additional security. The stateful inspection that
NAT cannot operate without provides the
Few home users have a stateful firewall configured and AFAIK none of the
consumer models come with a good default set of rules much less a drop
all unknown. For end users NAT is and will likely to continue to be the
most significant and effective front line security they have. Home
router
On 1/12/2011 1:35 PM, Owen DeLong wrote:
The corp IT guy is delusional. The solution to the routing disconnect
is map+encap or tunnels. Many exploits now take advantage of these
technologies to use a system compromised through point-click-pwn3d to
provide a route into the rest of the network. If
Once upon a time, Scott Helms khe...@ispalliance.net said:
Few home users have a stateful firewall configured
Yes, they do. NAT requires a stateful firewall. Why is that so hard to
understand?
--
Chris Adams cmad...@hiwaay.net
Systems and Network Administrator - HiWAAY Internet Services
I
On 1/12/2011 2:13 PM, Scott Helms wrote:
Until someone makes an effort to create either a DMZ entry or starts
doing port forwarding all (AFAIK) of the common routers will drop
packets that they don't know where to forward them.
This can be easily implemented in stateful firewalls for home
No it really doesn't. Thank you for leaving the key word when you
quoted me (configured). The difference is the _default_ behavior of the
two. NAT by _default_ drops packets it doesn't have a mapped PAT
translation for. Home firewalls do not _default_ to dropping all
packets they don't
On Jan 12, 2011, at 12:13 PM, Scott Helms wrote:
Few home users have a stateful firewall configured and AFAIK none of the
consumer models come with a good default set of rules much less a drop all
unknown. For end users NAT is and will likely to continue to be the most
significant and
On Wed, 12 Jan 2011, Chris Adams wrote:
Yes, they do. NAT requires a stateful firewall. Why is that so hard to
understand?
Um. No. NAT requires stateful inspection (because NAT needs to maintain
a state table), but does not require a stateful firewall. You can (and
many CPE appliances
On 1/12/2011 2:57 PM, Owen DeLong wrote:
Try this at home, with/without NAT:
1. Buy a new PC with Windows installed
2. Install all security patches needed since the OS was installed
Without NAT, you're unpatched PC will get infected in less than 1 minute.
Wrong.
Repeat the experiment with
That's simply not true. Every end user running NAT is running a stateful
firewall with a default inbound deny.
Really? I just tested this with 8 different router models from 5
different manufacturers and in all cases the default behavior was the
same. Put a public IP on a PC behind the
On Wed, 12 Jan 2011 15:13:43 EST, Scott Helms said:
Few home users have a stateful firewall configured
What percent of home users are running a Windows older than XP SP2?
pgp0QIpK5GmKt.pgp
Description: PGP signature
On 1/12/2011 3:05 PM, Scott Helms wrote:
If someone knows of a model that does block incoming (non-established
TCP) traffic by default I'd like to know about it. That's especially
true of combo DSL modem routers.
I believe Visionnet's v6 dsl modem does, as well as comtrends.
Jack
On Wed, 12 Jan 2011 11:21:24 PST, Paul Ferguson said:
Try this at home, with/without NAT:
1. Buy a new PC with Windows installed
2. Install all security patches needed since the OS was installed
Without NAT, you're unpatched PC will get infected in less than 1 minute.
What release of
On Wed, 12 Jan 2011 16:05:42 EST, Scott Helms said:
That's simply not true. Every end user running NAT is running a stateful
firewall with a default inbound deny.
Really? I just tested this with 8 different router models from 5
different manufacturers and in all cases the default
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, Jan 12, 2011 at 1:18 PM, valdis.kletni...@vt.edu wrote:
On Wed, 12 Jan 2011 11:21:24 PST, Paul Ferguson said:
Try this at home, with/without NAT:
1. Buy a new PC with Windows installed
2. Install all security patches needed since the
On Jan 12, 2011, at 1:05 PM, Scott Helms wrote:
That's simply not true. Every end user running NAT is running a stateful
firewall with a default inbound deny.
Really? I just tested this with 8 different router models from 5 different
manufacturers and in all cases the default
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, Jan 12, 2011 at 1:16 PM, valdis.kletni...@vt.edu wrote:
On Wed, 12 Jan 2011 15:13:43 EST, Scott Helms said:
Few home users have a stateful firewall configured
What percent of home users are running a Windows older than XP SP2?
I don't
On Wed, Jan 12, 2011 at 12:16 PM, valdis.kletni...@vt.edu wrote:
On Wed, 12 Jan 2011 12:04:01 EST, William Herrin said:
In a client (rather than server) scenario, the picture is different.
Depending on the specific NAT technology in use, the firewall may be
incapable of selecting a target for
On Jan 12, 2011, at 6:13 PM, William Herrin wrote:
On Wed, Jan 12, 2011 at 12:16 PM, valdis.kletni...@vt.edu wrote:
On Wed, 12 Jan 2011 12:04:01 EST, William Herrin said:
In a client (rather than server) scenario, the picture is different.
Depending on the specific NAT technology in use,
I hesitate to venture into this thread, but while Owen is correct in the
general
case (NAT qua NAT provides no more security than a stateful firewall), there
is a corner case in which security is improved via NAT. The case is that of an
enterprise network which uses 1918 addressing for all
On Jan 12, 2011, at 7:23 PM, David Barak wrote:
I hesitate to venture into this thread, but while Owen is correct in the
general
case (NAT qua NAT provides no more security than a stateful firewall),
there
is a corner case in which security is improved via NAT. The case is that of
an
On Mar 21, 2007, at 5:41 AM, Tarig Ahmed wrote:
Security guy told me is not correct to assign public ip to a server, it
should have private ip for security reasons.
He's wrong.
Is it true that NAT can provide more security?
No, it makes things worse from an availability perspective.
Unfortunately there are some sets of requirements which require this
type of configuration. The PCI-DSS comes to mind for those who deal
with credit card transactions.
-Justin
On Wednesday, January 12, 2011, Dobbins, Roland rdobb...@arbor.net wrote:
On Mar 21, 2007, at 5:41 AM, Tarig Ahmed
1 - 100 of 104 matches
Mail list logo