Arguing against using public IP space
Dave Hart
davehart at gmail.com
Thu Nov 17 05:56:07 UTC 2011
On Wed, Nov 16, 2011 at 20:38, Ray Soucy <rps at maine.edu> wrote:
> I would go as far as to argue that the false sense of security
> provided by NAT is more dangerous than any current threat that NAT
> alone would prevent.
Agreed, and I don't think that's going far at all. My opinion is
_both_ stateful firewalls and NATs have been responsible for providing
cover for those who fail to secure their endpoints. Yes, dropping a
choke point in front of X hosts is X times easier than securing the X
hosts. No, it didn't secure X hosts.
"Outside is dangerous, inside is trusted" is the root of much current
evil. Breaking end-to-end and encouraging everything that needs it to
jump through ugly hoops such as UDP NAT traversal or carrying all
sorts of non-HTTP over 80 and 443 has made it harder to secure
networks, not easier.
Cheers,
Dave Hart
More information about the NANOG
mailing list