Security gain from NAT (was: Re: Cool IPv6 Stuff)

From owner-nanog@merit.edu Mon Jun 4 13:54:55 2007
Subject: Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)
Date: Mon, 4 Jun 2007 14:47:06 -0400

> Shall I do the experiment again where I set up a Linux box
> at an RFC1918 address, behind a NAT device, publish the root
> password of the Linux box and its RFC1918 address, and invite
> all comers to prove me wrong by showing evidence that they've
> successfully logged into the Linux box?

Perhaps you should run a corresponding experiment whereby you set up
a linux box with a globally-unique address, put it behind a firewall
which blocks all incoming traffic to that box, and issue a similar
invitation.

Do you think the results will be different?

Consider the possible *FAILURE* modes.
  e.g. (1) where somebody brings up _another_ path between the LAN that that
           box is onn, and the public internet, with no translations or other
           protections whatsoever.
       (2) where the 'protection box' "fails open" -- e.g. passes all traffic
           without modification.

NAT/PAT is 'belt and suspenders', but it *does* provide an additional layer of
protection, _if_the_primary_protection_fails_.

That 'additional protection' may or may not be 'significant', depending on
one's viewpoint.