On Oct 30, 2010, at 5:16 PM, Roger Marquis <[email protected]> wrote:
>> On Fri, Oct 29, 2010 at 06:19:16PM -0700, Roger Marquis wrote: >>> _Also_? Some? Really? I don't mean to question Margaret's experience >>> but I have to wonder what this statement is based on. Most of us >>> security professionals use NAT to block _all_ incoming connections >>> _by_default_. This is known as fail-closed. >> >> Would you please not speak of "us security professionals"? I consider >> your attitude toward NAT inacceptable, and do not want to be put into the >> same basket as you. Speak for yourself, don't assume you can speak for >> "most of us security professionals". > > Ok, cansider my statements as applicable to enterprise security > professionals then, the ones with responsibility for edge firewalls, the > overwhelming majority of whom know that NAT is an important security tool > and have no carrier-driven or marketing-driven hidden agendas. Nope. NAT66 as per the draft, but for address independence, not security. The stateful firewall handles the connection blocking, the NAT handles the separation between the enterprise addressing and the local provider addressing, and regular audits handle the "humans are touching configs" aspect. _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
