On 17/02/2024, 19:27:20, "William Herrin" <b...@herrin.us> wrote:
So it does not surprise me that a 1994 book on network security would
not have discussed NAT. They'd have referred to the comparable
contemporary technology, which was "transparent application layer
gateways." Those behaved like what we now call NAT but did the job a
different way: instead of modifying packets, they terminated the
connection and proxied it.

And that was a very desired feature plus the address isolation,
then and for decades since. The clients IP stack was not trusted
to interact directly with external hosts.

See socks proxy too (and later Squid). It is still in use today
in some places.

There were stateful firewalls but trust was reduced when the
Firewall 1 undocumented and not unconfigurable default DNS UDP
inbound rule was discovered, it let anyone on the Internets "DNS"
packets reach any host on the inside they could guess the address
of. The "what if the product does allow packets in it is expected
not to" consideration drove having unreachable internal addressing.

Clicking on rules and assuming it is all good forever more through
product revisions was not sufficient. Every version would need a
significant re audit and probably miss any real problem.

How are people validating their firewall does what they think it
does?

brandon


Reply via email to