Scott McGrath wrote:
Agreed NAT's do not create security although many customers believe they do. NAT's _are_ extremely useful in hiding network topologies from casual inspection.
This is another bogus argument, and clearly you have not done the math on how long it takes to scan a /64 worth of subnet space. Start by assuming a /16 per second (which is well beyond what I have found as current technology) and see how long 2^48 seconds is.
What I usually recommend to those who need NAT is a stateful firewall in front of the NAT. The rationale being the NAT hides the topology and the stateful firewall provides the security boundary.
Obscuring the topology provides absolutely no security either. You are not alone, as it is frequently a recommended practice, but obscurity != security no matter how much it is sold as such. Tony