21 Apr
2010
21 Apr
'10
6:26 p.m.
William Herrin wrote:
Not to take issue with either statement in particular, but I think there needs to be some consideration of what "fail" means.
Fail means that an inexperienced admin drops a router in place of the firewall to work around a priority problem while the senior engineer is on vacation. With NAT protecting unroutable addresses, that failure mode fails closed.
In addition to fail-closed NAT also means: * search engines and and connectivity providers cannot (easily) differentiate and/or monitor your internal hosts, and * multiple routes do not have to be announced or otherwise accommodated by internal re-addressing. Roger Marquis