I'm sure everyone understands the underlying principle, but I'm constantly making the point that even the best firewall is not a total security solution. Forget antivirus, IDS, host authentication, etc., and just look on the perimeter. At least four device types lead inside from the DMZ: NAT Firewalls of various flavors VPN concentrators/security gateways Rate-limiting anti-DOS devices to protect host-to-host encryption For small and medium enterprises, these functions might, as an implementation choice, reside in the same box; NAT is most likely to coexist with firewalling or VPN concentration. The latter gets a little Zen-ish if the VPN concentrator acts as a separately addressed proxy anyway. -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Sam Stickland Sent: Monday, June 04, 2007 3:04 PM To: Joe Abley Cc: Jim Shankland; Owen DeLong; NANOG list Subject: Re: Security gain from NAT Joe Abley wrote:
On 4-Jun-2007, at 14:32, Jim Shankland wrote:
Shall I do the experiment again where I set up a Linux box at an RFC1918 address, behind a NAT device, publish the root password of the Linux box and its RFC1918 address, and invite all comers to prove me wrong by showing evidence that they've successfully logged into the Linux box?
Perhaps you should run a corresponding experiment whereby you set up a linux box with a globally-unique address, put it behind a firewall which blocks all incoming traffic to that box, and issue a similar invitation.
Do you think the results will be different?
I fear a somewhat more cynical person could interpret the results of such an experiment to mean that NAT is as good as a firewall ;) S