On Wed, Feb 2, 2011 at 11:18 PM, Jay Ashworth <jra@baylink.com> wrote:
Justify, yourself in turn, "small number". My personal estimate of the number of NATted edge networks is well north of 75%, on a network count
You don't get to count all NAT'ed IPv4 edge networks the same. Only the number of NAT'ed edge networks that decide they don't want to have normal connectivity for their IPs, even with IP address space available to, and even after reading up on IPv6.
Complexity of the configuration vastly increases the size of the attack surface: in a NATted edge network, *no packets can come in unless I explicitly configure for them*; there are any number of
Not necessarily true. This is a case of 'wish it were secure', but can't prove it. It is possible that a client on a NAT'ed network can conspire with an intruder to defeat the NAT device, and in various cases NAT can be completely defeated by an outsider, without a direct conspiracy. Any device on the subnet can spoof a SYN packet from any other device on the subnet. The NAT device will now have a connection entry, and the intruder can use this to circumvent the NAT. A good stateful firewall can prevent this and a few other similar shenanigans. But if the NAT device does not have a true stateful firewall function integrated, it is not nearly as secure as it might at first appear.
In a firewall, you are *fighting* the default "route this packet" design; in a NATgate, you have to consciously throw the packets over the moat.
It sounds like you have a lousy firewall. Decent stateful firewalls deny all incoming traffic by default that does not go with an outbound connection, until policies have been established. It's possible you can make an erroneous access rule, but you can also make an erroneous port forward on a NAT device. -- -JH