[ale] OT move to new Colo that wants to use NAT

Pat Regan thehead at patshead.com
Mon Nov 10 12:52:10 EST 2008


Daniel Kahn Gillmor wrote:
> Bah.  NAT is not the answer.  NAT is a question.  And the answer is
> "No".
> 

First off, I completely agree with everyone who says NAT is completely
worthless for security.  The only reasons NAT is more secure for anyone
is because you likely have to have a firewall in place to do the
translation, and since most people are doing one to many NAT they are
most definitely denying by default.

That said, if I control the routers and firewalls I will be much more
likely to use NAT than not.  I don't like to map public addresses to
machines.  I prefer to map my public addresses to services.

That lets me move services from machine to machine without the outside
world knowing what is happening.  An instant firewall rule change is
much faster than waiting for the world to catch up to a DNS change.

Pat

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
Url : http://mail.ale.org/pipermail/ale/attachments/20081110/d4ce7b6b/attachment.bin 


More information about the Ale mailing list