Rate of growth on IPv6 not fast enough?

Joe Greco jgreco at ns.sol.net
Fri Apr 23 10:28:52 CDT 2010


> > What makes you think that not using NAT exposes internal topology??
> 
> Or that internal topology cannot leak out through NAT's ? I have seen  
> NATed enterprises
> become massively compromised.

NAT allows people to become far too lazy.  Your typical NAT allows
connections outbound, typically configured without any audit trail,
etc., so once a bad guy is inside the "secure NAT firewall," they're
free to connect out to the 'net.

In comparison, an actual real firewall can prohibit {most, all}
outbound access and force the use of proxies.  Proxies can provide
logging, content scanning, etc., services.

Many times, those who argue in favor of NAT as a "firewall" are the
same ones who seem to actually be relying on the NAT as inbound
protection, but who aren't really doing anything to control their
outbound traffic, or IDS, etc.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.




More information about the NANOG mailing list