mh (RE: OMB: IPv6 by June 2008)

• Previous message (by thread): mh (RE: OMB: IPv6 by June 2008)
• Next message (by thread): mh (RE: OMB: IPv6 by June 2008)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jay R. Ashworth wrote:
> On Fri, Jul 08, 2005 at 01:15:42PM -0400, David Andersen wrote:
> 
>>On Jul 8, 2005, at 12:49 PM, Jay R. Ashworth wrote:
>>
>>>On Thu, Jul 07, 2005 at 01:31:57PM -0700, Crist Clark wrote:
>>>
>>>>And if you still want "the protection of NAT," any stateful firewall
>>>>will do it.
>>>
>>>That seems a common viewpoint.
>>>
>>>I believe the very existence of the Ping Of Death rebuts it.
>>>
>>>A machine behind a NAT box simply is not visible to the outside world,
>>>except for the protocols you tunnel to it, if any.   This *has* to
>>>vastly reduce it's attack exposure.
>>
>>Not really.  Consider the logic in a NAT box:
> 
> [ ... ]
> 
>>and the logic in a stateful firewall:
> 
> 
> Sorry.  Given my other-end-of-the-telescope perspective, I was
> envisioning an *on-machine* firewall, rather than a box.  Clearly *any*
> sort of box in the middle helps in the fashion I alluded to, whether it
> NATs or not.

Now I'm confused. Who runs *on-machine* NAT?

I guess that's another nice option for firewalls. It doesn't matter
whether your firewall runs locally or on a remote gateway.

Also, when people here are talking about NAT, note that we are only
talking about many-to-one, overloading, PAT, or whatever you want
to call it. If you are using NAT pools or one-to-one NAT, it buys
you no protection at all unless you add firewalling to the mix.
-- 
Crist J. Clark                               crist.clark at globalstar.com
Globalstar Communications                                (408) 933-4387

• Previous message (by thread): mh (RE: OMB: IPv6 by June 2008)
• Next message (by thread): mh (RE: OMB: IPv6 by June 2008)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]