No Metrics [LWN.net]

No Metrics

Posted May 19, 2011 18:46 UTC (Thu) by oelewapperke (guest, #74309)
In reply to: No Metrics by Cyberax
Parent article: Scale Fail (part 1)

Actually, given the amount of security holes ... and how secure a company is by default from remote (ie. they only get infected by surfing porn sites or opening suspicious mail) ...

It kinda does solve a lot of problems.

I mean, I hate nat just like the next guy. But you won't get anywhere by declaring it doesn't solve anything. You'll be just like gaia idiots screaming before the capitol to get America off oil, not realizing they're basically asking America to cut it's economy by 95% or more. Not going to happen (and it's a *good* thing we don't honor such requests)

NAT is a beautifully simple solution. And it is possible to modify just about any protocol to work with nat. I fear nat and ipv4 may be here to stay.

Certainly converting RIPE, APNIC and AFRINIC over to ARIN rules would give us another 10 years easily. Saying "an IP will cost you $0.01 per year" will get us another 100 years.

to post comments

No Metrics

Posted May 19, 2011 19:11 UTC (Thu) by nybble41 (subscriber, #55106) [Link]

A stateful firewall which simply blocks all incoming connections (i.e. a NAT setup minus the actual address and/or port translation) gets you all the security benefits of NAT without most of the hassle. As a bonus, if you want to run the same services on two or more servers they can each use their own addresses rather than competing for the standard port numbers.

Anyway, most home routers aren't much more secure with NAT, since they allow ports to be forwarded via UPnP requests. If you're running a server and opening forwarding ports with UPnP you might as well permit direct access; if not, blocking the connection at the server (because the port is closed) is just as effective as blocking it at the firewall. An effective firewall must be configured by the network administrator to accept or reject specific traffic, not simply permit incoming connections to any local server that asks politely while blocking the ones which would have been rejected anyway.