On Tue, 27 Apr 2010 14:37:08 EDT, Jon Lewis said:
Maybe we want end-to-end to break.
Firewalls can trivially be misconfigured such that they're little more than routers, fully exposing all the hosts behind them to everything bad the internet has to offer (hackers, malware looking to spread itself, etc.).
At least with NAT, if someone really screws up the config, the "inside" stuff is all typically on non-publicly-routed IPs, so the worst likely to happen is they lose internet, but at least the internet can't directly reach them.
You *do* realize that the skill level needed to misconfigure a firewall into that state, and the skill level needed to do the exact same thing to a firewall-NAT box, are *both* less than the skill level needed to remember to also deploy traffic monitors so you know you screwed up, and host-based firewalls to guard against chuckleheads screwing up the border box? In other words, if your security scheme relies on that supposed feature of NAT, you have *other* things you need to be working on.