On Tue, 15 Nov 2011 09:56:38 EST, William Herrin said:
A firewall's job is to prevent the success of ACTIVE attack vectors against your network. If your firewall successfully restricts attackers to passive attack vectors (drive-by downloads) and social engineering vectors then it has done everything reasonably expected of it. Those other parts of the overall network security picture are dealt with elsewhere in system security apparatus. So it's no mistake than in a discussion of firewalls those two attack vectors do not feature prominently.
You missed the point - in the greater scheme of things, the threat model has moved on, so the entire "ZOMG We can't deploy IPv6 because there's no NAT for security" is a total crock of bovine manure. There are *so many* lower-hanging fruit these days that if you're trying to *actually* improve your site's security, you'd just punt worrying about the NAT stuff and focus on doing a better job defending against the threats that are actually succeeding in breaking into systems. In another year or two, lack of IPv6 deployment is going to start impacting the "availability" part of the security triad. I'd worry about *that* more than "how many NATs can dance on the head of a pin".