This was one the ALE list, but really belongs elsewhere...
Appologies in advance to those that get multiple copies.
Brian said:
>>Semantics check: when I write NAT I mean IP-level address translation.
>>Application level gateways are different and of course they work
>>(they can even do application protocol translation if you want).
>>They are however a pain to operate - we used to run a file transfer
>>gateway, and we still have to run mail and terminal emulation gateways.
Eric said:
>Check. We have the same viewpoint once again and the only sticking point
>was in wording/communication of that viewpoint. In my own mind I had
>written off NATs as being impractical to implement but that the idea was
>great. Thus, I had mentally substituted for that term (NAT) an entity
>which is somewhat practical to implement (application layer gateways) and
>which does the same thing. I prefer the term "NAT" because it represents
>what is LOGICALLY happening.
When Noel first told me about NATs, I got excited. Something that might be
easier than application gateways, read firewalls.
But I studied the NATs issues. And I listened in on the FIREWALLS list for
a couple of months and came to an important realization:
Network level security is worthless as long as there is application
insecurity. And thus there will always be application gateways to institute
corporate security policies.
Yes I am fighting VERY hard to allow all employees to have public EMail, but
nFrom firewalls-owner Fri Apr 29 16:33:15 1994
Return-Path: <Firewalls-Owner>
Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103)
id QAA11909; Fri, 29 Apr 1994 16:33:15 GMT
Received: from uu.psi.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-931103)
id JAA11901; Fri, 29 Apr 1994 09:33:01 -0700
Received: by uu.psi.com (5.65b/4.0.061193-PSI/PSINet) via UUCP;
id AA10229 for ; Fri, 29 Apr 94 12:13:00 -0400
Received: from asgaard.rocket.com (asgaard.ARPA) by earth.rocket.com (4.1/3.2.083191-Olin Aerospace Company - Redmond Wa)
id AA23664; Fri, 29 Apr 94 07:40:18 PDT
Organization: Olin Aerospace Company
Telephone: (206)885-5000
Fax: (206)882-5804
Received: by asgaard.rocket.com (4.1/SMI-4.1)
id AA15079; Fri, 29 Apr 94 07:40:17 PDT
Date: Fri, 29 Apr 94 07:40:17 PDT
Message-Id: <9404291440 .
AA15079 @
asgaard .
rocket .
com>
To: 0003858921 @
mcimail .
com
Cc: ericf @
atc .
boeing .
com, brian @
dxcoms .
cern .
ch, ipv4-ale @
ftp .
com,
big-internet @
munnari .
oz .
au, firewalls @
greatcircle .
com
In-Reply-To: <40940429103904/0003858921NA3EM @
mcimail .
com>
Subject: Re: NATs
From: "Philip J. Nesser" <Pjnesser @
rocket .
com>
Us-Snail: 15825 Leary Way NE #306, Redmond WA, 98052
Sender: Firewalls-Owner @
GreatCircle .
COM
Precedence: bulk
>Date: Fri, 29 Apr 94 05:39 EST
>From: "Robert G. Moskowitz" <0003858921 @
mcimail .
com>
>When Noel first told me about NATs, I got excited. Something that might be
>easier than application gateways, read firewalls.
>But I studied the NATs issues. And I listened in on the FIREWALLS list for
>a couple of months and came to an important realization:
>Network level security is worthless as long as there is application
>insecurity.
I don't think anyone will argue with you on that issue.
>So all of you IETFers, continue the network level security work. That has
>an important place. But DO NOT DELUDE YOURSELVES! It will not make the
>internet secure anymore than C2 has made UNIX secure. The application
>writers need to be indoctrinated also. Perhaps after there is a major
>security incident at some big university or company that is all C2 UNIX and
>IPng authenticated due to an application level attach, then we will raise
>our eyes and tackle the last great frontier, the network applications.
I don't think anyone is deluding themselves. Security is an issue at all
levels. Just because some application writer doesn't take the time to do
it right doesn't invalidate the validity of the work on making another
layer as secure as possible. People, especially in the IETF, are taking
security concerns much more seriously than ever before. Putting a deadbolt
lock on your front door doesn't keep burglers out if you have open windows,
but that doesn't mean its a bad idea to have one put in.
>Bob
---> Phil
|
|
