On Jul 23, 2010, at 2:50 AM, Jens Link wrote: > Owen DeLong <o...@delong.com> writes: > >> In all reality: >> >> 1. NAT has nothing to do with security. Stateful inspection provides >> security, NAT just mangles addresses. > > You know that, I know that and (hopefully) all people on this list know > that. But NAT == security was and still is sold by many people. > So is snake oil.
>> Most customers don't know or care what NAT is and wouldn't know the >> difference between a NAT firewall and a stateful inspection firewall. > > I Agree. But there are also many people who want to believe in NAT as > security feature. > > After one of my talks about IPv6 the firewall admins of a company said > something like: "So we can't use NAT as an excuse anymore and have to > configure firewall rules? We don't want this." > So how did you answer him? The correct answer is "No, you don't have to configure rules, you just need one rule supplied by default which denies anything that doesn't have a corresponding outbound entry in the state table and it works just like NAT without the address mangling". In my experience, other than a small handful of religious zealots, that explanation is sufficient to get the point across to most such admins. Owen
