← Back to context

Comment by Dylan16807

1 month ago

> No, you cannot get a connection to the device.

...okay? I didn't say you can. I said that line in the marketing implies you can, as part of how it's wrong.

If that wrong line in the marketing is the strongest evidence for NAT being initially understood as a security feature, that's very weak evidence for the pile.

(If the way I worded things needs more clarification, let me try to elaborate. There is a way in which NAT would prevent the connection, but that aspect of NAT is not what the marketing sentence talked about. It incorrectly talked about a different aspect of NAT. While there could theoretically be a device that uses NAT for protection, this device uses the firewall for protection. Just like basically every other device that can do NAT.)

4 comments

Dylan16807

Reply
kortilla  1 month ago

Im not sure why you’re digging in this way. The marketing material is clearly making security arguments. Whether or not you agree with them is entirely irrelevant because the statement was that NAT was marketed as a security feature.

  • Dylan16807  1 month ago

    > Im not sure why you’re digging in this way. The marketing material is clearly making security arguments.

    Oh, I see where you're misunderstanding the claim I'm making, continued from what simoncion was saying.

    Yes, the marketing is making security arguments. The PIX is a security device as one of its main functions.

    The feature that was put in specifically for security is its firewall. The NAT isn't adding anything on top of that, security-wise.

    > Whether or not you agree with them is entirely irrelevant because the statement was that NAT was marketed as a security feature.

    The original claim is that companies generally saw NAT itself as a security feature. That goes beyond a single incoherent sentence in a piece of marketing about a device that had NAT and a firewall. Again, I accept that the sentence is some evidence for the idea but it's so weak. This is something that happened just a couple decades ago, there should be plenty of evidence of actual decisionmaking.

    Also it occurs to me that the phrase "know which machine on the corporate network is using a Class C address" might be talking about NATing entire IPs, every port at once. In which case that's very much not a security feature. NAT like that puts the machine naked on the internet. It's about as secure as having your devices get publicly routable addresses out of DHCP. So if that's what they meant, that sentence is making unjustified claims. Did one easily disproven line in a pamphlet convince an industry?

    • kortilla  24 days ago

      I don’t know what to tell you dude. Back in 06 as an admin for campuses where more than half of the machines were XP pre service-pack 2, NAT was 100% used as a security feature.

      For public WiFi networks and labs where we couldn’t control software on end devices, we put them behind NAT pools purely for security (we still had enough public v4 IPs to give them to printers).

      You can hand wave however you want, but back then NAT was used for an easy first level of security.

      “There existed a better thing in a pure stateful firewall” is not an argument against people using NAT instead.

      1 reply →