|> From: Scott Gifford [mailto:sgifford@tir.com] |> Sent: Monday, September 10, 2001 10:30 AM |> |> Roeland Meyer <rmeyer@mhsc.com> writes: |> > Any current protection is strictly the |> > result of a side-effect. The side-effect that breaks the internet |> > connection. It's a result of the connection being broken. |> > A properly built |> > firewall is much more effective and definitely more |> > deterministic. Neither is it vulnerable to a "fix patch". |> |> I don't understand what kind of "fix patch" you're talking about |> here...NAT uses the same techniques that a stateful firewall uses; if |> you can find some kind of "fix patch" to bypass NAT, chances are |> excellent it will work on a stateful firewally, too. Mot so. What is needed to truely fix NAT is to propogate the translated addresses, both ways. This would give you an address product like <Inet addr>:<NAT addr>. The problem is that almost no stack, that I know of, can deal with such a form. The reason NAT works is that you only lose one side and the other side doesn't know that you've lost it. |> I've actually seen the question of how NAT breaks the Internet more |> than a good stateful firewall come up more than once, and haven't |> really seen a satisfactory answer. Where does a stateful firewall |> configured to only allow outgoing connections work that NAT doesn't? The difference is determinism. You control, to very fine detail, how a firewall works. Things that don't work are intended to not work. Firewalls aren't accidents. NAT address propogation failures are, they are not consistent, and can't be relied upon to continue. Who knows, some genius, somewhere, may fix it tomorrow. Lord knows, there is sufficient incentive to do so. If that happens, your security is toast, if all you are relying on is NAT, rather than putting up a real firewall.