[arin-announce] IPv4 Address Space (fwd)
Scott McGrath
mcgrath at fas.harvard.edu
Thu Oct 30 14:22:50 UTC 2003
That was _exactly_ the point I was attempting to make. If you recall
there was a case recently where a subcontractor at a power generation
facility linked their system to an isolated network which gave
unintentional global access to the isolated network. a NAT at the
subcontrator's interface would have prevented this.
Scott C. McGrath
On Wed, 29 Oct 2003, Jack Bates wrote:
>
> David Raistrick wrote:
>
> >
> > You seem to be arguing that NAT is the only way to prevent inbound access.
> > While it's true that most commercial IPv4 firewalls bundle NAT with packet
> > filtering, the NAT is not required..and less-so with IPv6.
> >
>
> I think the point that was being made was that NAT allows the filtering
> of the box to be more idiot proof. Firewall rules tend to be complex,
> which is why mistakes *do* get made and systems still get compromised.
> NAT interfaces and setups tend to be more simplistic, and the IP
> addresses of the device won't route publicly through the firewall or any
> unknown alternate routes.
>
> -Jack
>
<
More information about the NANOG
mailing list