On Mon, Nov 14, 2011 at 6:01 PM, Lyndon Nerenberg <lyndon@orthanc.ca> wrote:
But a NAT implementation adds thousands of lines of code to the path the packets take, and any time you introduce complexity you decrease the overall security of the system. And the complexity extends beyond the NAT box. Hacking on IPsec, SIP, and lord knows what else to work around address rewriting adds even more opportunities for something to screw up.
If you want security, you have to DEcrease the number of lines of code in the switching path, not add to it.
Hi Lyndon, Counterpoint: Using two firewalls in serial from two different vendors doubles the complexity. Yet it almost always improves security: fat fingers on one firewall rarely repeat the same way on the second and a rogue packet must pass both. The same two firewalls in parallel surely reduces security. Is complexity the enemy of security? In general principle yes, but as with many things IT DEPENDS. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004