nanog mailing list archives
Re: Where NAT disenfranchises the end-user ...
From: Scott Gifford <sgifford () tir com>
Date: 10 Sep 2001 15:00:45 -0400
Roeland Meyer <rmeyer () mhsc com> writes: [...]
Firewalls aren't accidents. NAT address propogation failures are, they are not consistent, and can't be relied upon to continue. Who knows, some genius, somewhere, may fix it tomorrow. Lord knows, there is sufficient incentive to do so. If that happens, your security is toast, if all you are relying on is NAT, rather than putting up a real firewall.
The rest of what you're saying makes sense, but I just don't buy this... A clever design might allow NAT to work with all protocols and in both directions, which would have increased connectivity but decreased security. But how would it get onto my network without me putting it there, and presumably configuring it securely? The box doing NAT is under my control... ----ScottG.
Current thread:
- RE: Where NAT disenfranchises the end-user ..., (continued)
- RE: Where NAT disenfranchises the end-user ... Roeland Meyer (Sep 10)
- Re: Where NAT disenfranchises the end-user ... Scott Gifford (Sep 10)
- Re[2]: Where NAT disenfranchises the end-user ... Richard Welty (Sep 10)
- Re[2]: Where NAT disenfranchises the end-user ... RJ Atkinson (Sep 10)
- Re[3]: Where NAT disenfranchises the end-user ... Richard Welty (Sep 10)
- Re: Re[3]: Where NAT disenfranchises the end-user ... Alex Bligh (Sep 10)
- Re: Re[3]: Where NAT disenfranchises the end-user ... Valdis . Kletnieks (Sep 10)
- Re: Where NAT disenfranchises the end-user ... Scott Gifford (Sep 10)
- RE: Where NAT disenfranchises the end-user ... Roeland Meyer (Sep 10)
- Re: Where NAT disenfranchises the end-user ... Eric A. Hall (Sep 10)
- RE: Where NAT disenfranchises the end-user ... Greg Maxwell (Sep 10)
- Re: Where NAT disenfranchises the end-user ... Scott Gifford (Sep 10)