mh (RE: OMB: IPv6 by June 2008)
Jay R. Ashworth
jra at baylink.com
Fri Jul 8 18:10:25 UTC 2005
On Fri, Jul 08, 2005 at 01:15:42PM -0400, David Andersen wrote:
> On Jul 8, 2005, at 12:49 PM, Jay R. Ashworth wrote:
> > On Thu, Jul 07, 2005 at 01:31:57PM -0700, Crist Clark wrote:
> >> And if you still want "the protection of NAT," any stateful firewall
> >> will do it.
> >
> > That seems a common viewpoint.
> >
> > I believe the very existence of the Ping Of Death rebuts it.
> >
> > A machine behind a NAT box simply is not visible to the outside world,
> > except for the protocols you tunnel to it, if any. This *has* to
> > vastly reduce it's attack exposure.
>
> Not really. Consider the logic in a NAT box:
[ ... ]
> and the logic in a stateful firewall:
Sorry. Given my other-end-of-the-telescope perspective, I was
envisioning an *on-machine* firewall, rather than a box. Clearly *any*
sort of box in the middle helps in the fashion I alluded to, whether it
NATs or not.
Cheers,
-- jra
--
Jay R. Ashworth jra at baylink.com
Designer Baylink RFC 2100
Ashworth & Associates The Things I Think '87 e24
St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274
If you can read this... thank a system administrator. Or two. --me
More information about the NANOG
mailing list