On 1/10/2011 6:55 PM, Owen DeLong wrote:
Nonetheless, NAT remains an opaque screen door at best.
If the bad guy is behind the door, it helps hide him.
If the bad guy is outside the door, the time it takes for his knife to cut through it is so small as to be meaningless.
For a "server" expected to be open to anyone, anywhere, anytime... yes. Otherwise no. NAT overload (many to 1), and 1-to-1 NAT with some timeout value both serve to disconnect the potential targets from the network, absent any static NAT or port mapping (for "servers"). RFC-1918 behind NAT insures this (notwithstanding pivot attacks). It is a decreasing risk, given the typical user initiated compromise of today (click here to infect your computer), but a non-zero one. The whole IPv6 / no-NAT philosophy of "always connected and always directly addressable" eliminates this layer. Jeff