[VOIPSEC] IPv6 and the demise (or not) of NAT (was Re: Interactive Connectivity Establishment (ICE))
Christopher A. Martin
chris at InfraVAST.com
Wed Nov 16 04:39:51 GMT 2005
This is a truth about NAT and a requirement that many of the SBC and
firewall vendors will tell you I drove home many a time...topolgy hiding
is a form of security, as stated below. The more you can hide from an
attacker the more they have to work to be successful.
Unfortunately many of the SIP proxy implementors and firewall/sbc
vendors apparently still do not wish to completely hide all internal
information in this manner (it leaves one less table to consume
resources?), as indicated by recent snippets of captures that I recieve
from time to time for review.
Then again, most implementations do deploy 1918 address space, which is
easy enough to guess, especially when automated, but there are many more
enterprises that deploy registered routable address space that may not
wish to expose this fact.
Just another tidbit to think about.
Chris
dan_york at Mitel.com wrote:
>Dustin D. Trammell wrote:
>
>
>
>>I think Dan may have been referring to the "security" of NAT not from a
>>traffic policy/enforcement perspective, but from an attacker's
>>reconnaissance perspective. <snip>
>>
>>
>
>Yes, that was the point I was making... many IT security people whom I
>know do view
>NAT as a form of 'security through obscurity'. Yes, it's not all that
>much security, but
>as you (Dustin) noted, it's sort of like the old question/joke:
>
>Q: If you and a friend are hiking and suddenly disturb a large, angry,
>hungry bear who turns and chases you, how fast do you have to run?
>A: Just faster than your friend!
>
>My point was that many IT security people view NAT as yet another layer in
>their defenses and
>will not easily give that up.
>
>I do realize that point and the original question has somewhat been lost
>in the fascinating exchange
>that's been going on under this subject line, but I, for one, have enjoyed
>reading the exchange,
>even if I'm only getting a chance to do so now.
>
>Regards,
>Dan
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
More information about the Voipsec
mailing list