the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Tue Apr 27 18:47:26 UTC 2010
On Tue, 27 Apr 2010 14:37:08 EDT, Jon Lewis said:
> Maybe we want end-to-end to break.
>
> Firewalls can trivially be misconfigured such that they're little more
> than routers, fully exposing all the hosts behind them to everything bad
> the internet has to offer (hackers, malware looking to spread itself,
> etc.).
>
> At least with NAT, if someone really screws up the config, the "inside"
> stuff is all typically on non-publicly-routed IPs, so the worst likely to
> happen is they lose internet, but at least the internet can't directly
> reach them.
You *do* realize that the skill level needed to misconfigure a firewall
into that state, and the skill level needed to do the exact same thing to
a firewall-NAT box, are *both* less than the skill level needed to remember
to also deploy traffic monitors so you know you screwed up, and host-based
firewalls to guard against chuckleheads screwing up the border box?
In other words, if your security scheme relies on that supposed feature of NAT,
you have *other* things you need to be working on.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20100427/627abfd9/attachment.sig>
More information about the NANOG
mailing list