[ale] OT move to new Colo that wants to use NAT

Michael H. Warfield mhw at WittsEnd.com
Mon Nov 10 12:05:04 EST 2008 

On Mon, 2008-11-10 at 11:28 -0500, Geoffrey wrote:
> Jim Popovitch wrote:
> > On Sun, Nov 9, 2008 at 19:01, Chris Fowler <cfowler at outpostsentinel.com> wrote:
> >> *>From our Network Administrator:
> >> We're doing a NAT'd VLAN for Outpostsentinal.com, so their systems will need
> >> to be set with the following IP range:
> >> 10.1.1.2-17, with a gateway of 10.1.1.1.
> >> Their public IPs are 65.254.217.210-225 in the same order (ie:
> >> 65.254.217.210 goes to 10.1.1.2, 65.254.217.211 goes to 10.1.1.3, etc)*
> > 
> > Have you tried asking them for public IPs?    If they don't have any
> > to offer, ask them if they will support (BGP) your own ARIN
> > allocation.
> > 
> > IMHO, their move to do this is both good and bad.  Good because it
> > protects the idiots who lease systems they don't know how to secure,
> > bad because it removes capabilities that quality technical folks need.
> 
> Security by obscurity???  I think not.  I would not suggest that NAT is 
> any more secure then a public static IP.

	Than a global unicast address behind a good stateful firewall that was,
at least, designed for security.

	Many (most) NAT devices do incorporate firewalls and are inherently
stateful.  I argue that the security of those devices derive from their
statefulness and their firewalling alone and that no additional security
is derived from being on private addresses behind that stateful firewall
as oppose to being on global unicast addresses behind that stateful
firewall.  The address translations themselves add nothing to the
security and can even be harmful as illustrated by the real world
examples I've given.

> -- 
> Until later, Geoffrey
> 
> Those who would give up essential Liberty, to purchase a little
> temporary Safety, deserve neither Liberty nor Safety.
>   - Benjamin Franklin

	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20081110/af032417/attachment.bin

More information about the Ale mailing list