On 3/24/14 2:38 PM, "William Herrin" <bill@herrin.us> wrote:
On Mon, Mar 24, 2014 at 2:23 PM, Lee Howard <Lee@asgard.org> wrote:
On 3/24/14 1:37 PM, "William Herrin" <bill@herrin.us> wrote:
That would be one of those "details" on which smart people disagree. In this case, I think you're wrong. Modern NAT superseded the transparent proxies and bastion hosts of the '90s because it does the same security job a little more smoothly. And proxies WERE designed to act as a security feature.
What kinds of devices are we talking about here? Are we talking about the default NAT on a home network router, or an enterprise-level NAT operating on a firewall?
Hi Lee,
I don't see NAT as a deployment issue for residential networks. Most folks just hook their computer up to whatever CPE the vendor sends them without any further attention.
If we're talking about an enterprise firewall, then I don't understand--we're talking about a firewall. If it implements a symmetric NAT in addition to a stateful firewall, then it's implementing the same function twice. But, hey, it's your network, if security-through-obscurity is one of your defense in depth layers, that's fine.
"Obscurity" offers one or more defense layers. If you disagree, post your passwords here.
One that is largely mocked by security professionals. However, ULA can do this.
Unaddressibility is a second defense layer.
I offered ULA+NPT66. I don't recommend it, but it has been described as working, and provides addresses which are not globally reachable.
Stateful firewalling is a third.
We agree. Lee