On Wed, 10 Nov 2004 03:14:51 EST, Jerry Eyers said: > "Get a firewall" is not a valid response when you have lusers > to drop the latest netgear whatever onto their PC and dial > to some provider somewhere. Your firewall is useless to > protect that segment. In many cases NAT is the ONLY > protection you end up with in this scenario, a scenario that > is far to common in the corporate world.
And NAT does what, exactly, to defend you against a PC that has one interface on the NAT'ed network and one interface "elsewhere/elsewhen" (be it a netgear, or somebody at the far end of a VPN, or a laptop that was connected externally, and now is on the corporate LAN)? There's a *reason* why Bill Cheswick said "A crunchy shell around a soft, chewy inside"......
pgplQJMUQIgJn.pgp
Description: PGP signature