Another driver for v6?
jbates at brightok.net
Wed Oct 29 14:21:45 UTC 2008
Brandon Butterworth wrote:
>> as I am very tired of all the problems caused by multiple
>> layers of NATs and PAT.
> Likewise but more because people keep designing stuff to try and force
> others to get rid of them, ignoring why they have them.
A false sense of security? The belief that hiding behind a single IP might
disguise how many hosts you have, which in turn might provide some form of
Inside the network, host to host security is what should be. This can assist in
some protection against bots that do make it to the network, or internal
maliciousness. Security from within has always been overlooked by many, and yet
it is the employees who provide the largest security risk.
Stateful firewalls will not be going away entirely, but they can track state and
perform proxy services without performing address translation. It just scares
people because of their false belief that translating an address shows that
security is working. If stateful monitoring/proxying/limiting is not in working,
the address translation doesn't really matter.
NAT has had it's uses, but it's lazy and a false sense of overall security. I do
think Microsoft is crazy if they think the need for VPN will disappear, unless
they have another method for the stateful firewalls to snoop, monitor, and alter
the IPSEC host to host packets (which isn't entirely impossible).
More information about the NANOG