On Nov 16, 2011, at 8:20 AM, Jamie Bowden wrote:
-----Original Message----- From: Owen DeLong [mailto:owen@delong.com] Sent: Wednesday, November 16, 2011 11:11 AM To: William Herrin Cc: NANOG Subject: Re: Have they stopped teaching Defense in Depth?
On Nov 15, 2011, at 2:01 PM, William Herrin wrote:
On Tue, Nov 15, 2011 at 4:50 PM, Mark Andrews <marka@isc.org> wrote:
If you want to use unroutable addresses then use a bastion host / proxy. Don't expect to be able to open a TCP socket and have it connect to something on the outside. Do it right or don't do it at all.
Mark,
What is a modern NAT but a bastion host proxy for which application compatibility has been maximized?
It is a mechanism for header mutilation which creates additional costs in hardware (cost of routers), software (development of NAT traversal code in various applications, NAT software in some cases), security (NAT obfuscates audit trails and increases the difficulty and cost of event correlation, forensics, abuser identification, and attack source identification and mitigation, etc.).
How is that any different than a proxy server, really? From the inside, your apps are either NAT aware or proxy aware, but either way, you're not directly exposed to the world and all your traffic comes from one place as far as the world is concerned. I live behind both (NAT at home; all external traffic of any type (assuming it's even allowed) is proxied at work), and both suck in different and exciting ways.
Jamie
You answered your own question... They suck in different ways. Owen