I posit that a screen door does not provide any security. A lock and deadbolt provide some security. NAT/PAT is a screen door. Not having public addresses is a screen door. A stateful inspection firewall is a lock and deadbolt.
This is a fine piece of rhetoric, but it's manifestly false and seriously misleading. I have a cluster of Windows machines at my store with no networking security at all. They're behind NAT/PAT and nothing else. None of them have ever been broken into. For a screen door, that's a mighty impressive screen door. I can give you the root password to a Linux machine running telnetd and sshd. If it's behind NAT/PAT, you will not get into it. Period. I can give you the administrator password to a Windows machine with file sharing wide open. If it's behind NAT/PAT, you will not get into it. Period. The only ways into these machines would be if the NAT/PAT device were misconfigured, another machine on the secure network were compromised, or another gateway into the secure network was set up. Guess what? All of these things would defeat a stateful inspection firewall as well. Are there things most stateful inspection firewalls can do that NAT/PAT does not do? Definitely. Are those things valuable and in some cases vital? Definitely. So why lie and distory what NAT/PAT actually does do? A large class of security vulnerabilities require the attacker to reach out to the machine first, and NAT/PAT stops those attacks completely. Is that enough if there are other attacks that it does nothing to stop? Clearly not. Does that change the fact that it actually does completely prevent a large class of serious attacks? No, it does not. Is a car alarm useless because some professtional theives can disable it? Is a lock useless because some thieves can pick it? Many exploits only go after low-hanging fruit, and NAT/PAT stops them. DS