Firewalls: Re[2]: NT NAT

Firewalls
(January 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re[2]: NT NAT
From:	dharris @ kcp . com
Date:	Fri, 3 Jan 1997 13:46:49 -0600
To:	"'Firewalls Mailing List'" <firewalls @ GreatCircle . COM>, Carl Karlsson <ckn @ findata . se>

Added security?  Only that extra security provided by not having your network's 
addresses known to the 'net.  The NAT provides no extra protection from someone 
"outside" who knows or deduces (from unparsed E-mail headers, perhaps) your 
actual addresses.  It also provides no activity logging for later audit, at 
least not as part of the NAT function.

Is it better than nothing?  Arguably, yes, because it is an extra layer between 
your network and the 'net.  Is it dangerous?  Yes, especially if you think you 
are protected against attack because you have a NAT.

Oops, I suppose I have just contradicted Russ.  I think I just said that a NAT 
does provide some small measure of security.  I guess I would put a NAT 
somewhere way below a screen router in the hierarchy of "firewalls", but I would
definitely include it as part of the arsenal of a scapegoat.  (Q: If the person 
who runs the web site is the webmaster, the one who runs a postoffice is a 
postmaster, what is the person who runs the firewall between two networks?  A: 
You call her or him the scapegoat.)

______________________________ Reply Separator _________________________________
Subject: RE: NT NAT 
Author:  Carl Karlsson <ckn @
 findata .
 se> at INTERNET-MAIL
Date:    1/3/97 5:43 PM

On Fri, 3 Jan 1997, Russ wrote:

> You got anything intelligent to say on just why you think NAT offers ANY
> SECURITY AT ALL??? I can't wait to hear it. I mean ANY SECURITY AT ALL.

I'd like to know if and why this means that masquerading one's network
behind a 'secured' host doesn't provide any added security from just
connecting the network straight out? Or am I missing something here (not
unusual :)?

I was under the impression that if I use some box (Linux with TIS fwtk for
example, or that NT box perhaps?) masquerading my network and using
192.168.x.x-addresses inside, I would be at least a little bit more secure
than if had all my w95/nt/unix machines directly connected to the
internet?
(Not talking super-secure here, not flaming anyone, but just interested!
Pointers do nicely if this is already well-known...)

  Calle

Follow-Ups:

Re: Re[2]: NT NAT
From: Carl Karlsson <ckn @ findata . se>
Re: Re[2]: NT NAT
From: lists @ lina . inka . de (Bernd Eckenfels)

Indexed By Date	Previous:	RE: NT NAT From: Todd Graham Lewis <lists @ reflections . mindspring . com>
Indexed By Date	Next:	Re: sendmail 8.8.4 with firewall From: "Lars Eilebrecht" <sfx @ unix-ag . uni-siegen . de>
Indexed By Thread	Previous:	RE: NT NAT From: Mark Joseph Edwards <mark @ ntshop . net>
Indexed By Thread	Next:	Re: Re[2]: NT NAT From: lists @ lina . inka . de (Bernd Eckenfels)