[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Arguing against using public IP space

Subject: Arguing against using public IP space
From: jra at baylink.com (Jay Ashworth)
Date: Sun, 13 Nov 2011 18:36:31 -0500 (EST)
In-reply-to: <[email protected]>

---- Original Message -----
> From: "Doug Barton" <dougb at dougbarton.us>

> On 11/13/2011 13:27, Phil Regnauld wrote:
> > 	That's not exactly correct. NAT doesn't imply
> > 	firewalling/filtering.
> > 	To illustrate this to customers, I've mounted attacks/scans on
> > 	hosts behind NAT devices, from the interconnect network immediately
> > 	outside: if you can point a route with the ext ip of the NAT device
> > 	as the next hop, it usually just forwards the packets...
> 
> Have you written this up anywhere? It would be absolutely awesome to
> be able to point the "NAT IS A SECURITY FEATURE!!!" crowd to an actual
> demonstration of why it isn't.

Accepting strict source routing from a public interface is certainly in the
top 10 Worst Common Practices, is it not?  (IE: I would be surprised if *any*
current router actually let you do that.)

Cheers,
-- jra
-- 
Jay R. Ashworth                  Baylink                       jra at baylink.com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA      http://photo.imageinc.us             +1 727 647 1274

References:
- Arguing against using public IP space
  - From: dougb at dougbarton.us (Doug Barton)

Prev by Date: Arguing against using public IP space
Next by Date: Arguing against using public IP space
Previous by thread: Arguing against using public IP space
Next by thread: Arguing against using public IP space
Index(es):
- Date
- Thread