On Mon, Mar 24, 2014 at 2:23 PM, Lee Howard <Lee@asgard.org> wrote:
On 3/24/14 1:37 PM, "William Herrin" <bill@herrin.us> wrote:
That would be one of those "details" on which smart people disagree. In this case, I think you're wrong. Modern NAT superseded the transparent proxies and bastion hosts of the '90s because it does the same security job a little more smoothly. And proxies WERE designed to act as a security feature.
What kinds of devices are we talking about here? Are we talking about the default NAT on a home network router, or an enterprise-level NAT operating on a firewall?
Hi Lee, I don't see NAT as a deployment issue for residential networks. Most folks just hook their computer up to whatever CPE the vendor sends them without any further attention.
If we're talking about an enterprise firewall, then I don't understand--we're talking about a firewall. If it implements a symmetric NAT in addition to a stateful firewall, then it's implementing the same function twice. But, hey, it's your network, if security-through-obscurity is one of your defense in depth layers, that's fine.
"Obscurity" offers one or more defense layers. If you disagree, post your passwords here. Unaddressibility is a second defense layer. Stateful firewalling is a third. You observe that all three are accomplished by the same lines of code in the firewall. The firewall doesn't exist in a void. It's part of a system. That system is configured with unroutable addresses or it isn't. It has many public addresses or it doesn't. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004