I'm sure everyone understands the underlying principle, but I'm constantly making the point that even the best firewall is not a total security solution. Forget antivirus, IDS, host authentication, etc., and just look on the perimeter.
At least four device types lead inside from the DMZ: NAT Firewalls of various flavors VPN concentrators/security gateways Rate-limiting anti-DOS devices to protect host-to-host encryption For small and medium enterprises, these functions might, as an implementation choice, reside in the same box; NAT is most likely to coexist with firewalling or VPN concentration. The latter gets a little Zen-ish if the VPN concentrator acts as a separately addressed proxy anyway. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sam Stickland Sent: Monday, June 04, 2007 3:04 PM To: Joe Abley Cc: Jim Shankland; Owen DeLong; NANOG list Subject: Re: Security gain from NAT Joe Abley wrote: > > > On 4-Jun-2007, at 14:32, Jim Shankland wrote: > >> Shall I do the experiment again where I set up a Linux box >> at an RFC1918 address, behind a NAT device, publish the root >> password of the Linux box and its RFC1918 address, and invite >> all comers to prove me wrong by showing evidence that they've >> successfully logged into the Linux box? > > Perhaps you should run a corresponding experiment whereby you set up a > linux box with a globally-unique address, put it behind a firewall > which blocks all incoming traffic to that box, and issue a similar > invitation. > > Do you think the results will be different? I fear a somewhat more cynical person could interpret the results of such an experiment to mean that NAT is as good as a firewall ;) S
