On 1/12/2011 2:57 PM, Owen DeLong wrote:
Try this at home, with/without NAT:
1. Buy a new PC with Windows installed 2. Install all security patches needed since the OS was installed
Without NAT, you're unpatched PC will get infected in less than 1 minute. Wrong. Repeat the experiment with stateful firewall with default inbound deny and no NAT. Yep... Same results as NAT.
Now let that laptop (or another one on the home subnet) show up with Bridging or Internet Connection Sharing enabled with wired/wireless connections and see what you get. Still maybe OK if it's the "host" firewall, and it's turned on, and it's not domain-joined with the local subnet allowed, etc., but that was post-SP2 and assumes some malware [or the user] hasn't turned it off. NAT+RFC1918 = no accidental leakage/bridging (yes, they could spoof RFC1918 destinations, assuming they get routed all the way to the endpoint... but that's a bigger "if" than a public address) "Perfect stateful firewall with perfect default inbound deny and no other variables thrown in the mix" and yes, but it's breakable in contrast to the NAT+RFC1918 case. There is something to be said for "unreachable" (i.e., "not in your forwarding table") -- else the VPN / VRF / MPLS / etc folks wouldn't have a leg to stand on :-) With that said, this isn't a one-size-fits-all, everybody's perfect solution. We've covered the gamut from home CPE to server farms here, with the original question being about a DMZ case. They are however legitimate security layers applied to certain cloves of this particular bulb of garlic (a more appropriate model than the homogeneous "onion") :-) Jeff