On 1/10/2011 6:55 PM, Owen DeLong wrote: > Nonetheless, NAT remains an opaque screen door at best. > > If the bad guy is behind the door, it helps hide him. > > If the bad guy is outside the door, the time it takes for his knife to cut > through it is so small as to be meaningless.
For a "server" expected to be open to anyone, anywhere, anytime... yes. Otherwise no. NAT overload (many to 1), and 1-to-1 NAT with some timeout value both serve to disconnect the potential targets from the network, absent any static NAT or port mapping (for "servers"). RFC-1918 behind NAT insures this (notwithstanding pivot attacks). It is a decreasing risk, given the typical user initiated compromise of today (click here to infect your computer), but a non-zero one. The whole IPv6 / no-NAT philosophy of "always connected and always directly addressable" eliminates this layer. Jeff
