On Tue, 27 Apr 2010 14:37:08 EDT, Jon Lewis said: > Maybe we want end-to-end to break. > > Firewalls can trivially be misconfigured such that they're little more > than routers, fully exposing all the hosts behind them to everything bad > the internet has to offer (hackers, malware looking to spread itself, > etc.). > > At least with NAT, if someone really screws up the config, the "inside" > stuff is all typically on non-publicly-routed IPs, so the worst likely to > happen is they lose internet, but at least the internet can't directly > reach them.
You *do* realize that the skill level needed to misconfigure a firewall into that state, and the skill level needed to do the exact same thing to a firewall-NAT box, are *both* less than the skill level needed to remember to also deploy traffic monitors so you know you screwed up, and host-based firewalls to guard against chuckleheads screwing up the border box? In other words, if your security scheme relies on that supposed feature of NAT, you have *other* things you need to be working on.
pgp92Zt0KYD5H.pgp
Description: PGP signature