[arin-announce] IPv4 Address Space (fwd)

Scott McGrath mcgrath at fas.harvard.edu
Thu Oct 30 14:22:50 UTC 2003



That was _exactly_ the point I was attempting to make.  If you recall
there was a case recently where a subcontractor at a power generation
facility linked their system to an isolated network which gave
unintentional global access to the isolated network.  a NAT at the
subcontrator's interface would have prevented this.


                            Scott C. McGrath

On Wed, 29 Oct 2003, Jack Bates wrote:

> 
> David Raistrick wrote:
> 
> > 
> > You seem to be arguing that NAT is the only way to prevent inbound access.
> > While it's true that most commercial IPv4 firewalls bundle NAT with packet
> > filtering, the NAT is not required..and less-so with IPv6.
> > 
> 
> I think the point that was being made was that NAT allows the filtering 
> of the box to be more idiot proof. Firewall rules tend to be complex, 
> which is why mistakes *do* get made and systems still get compromised. 
> NAT interfaces and setups tend to be more simplistic, and the IP 
> addresses of the device won't route publicly through the firewall or any 
> unknown alternate routes.
> 
> -Jack
> 
<




More information about the NANOG mailing list